Solved Reverse NAT with pf.conf -> Split DNS with unbound

A

Airost

Good evening everyone,

I have a question regarding my pf.conf, how do I setup my firewall to get reverse nat working? I was reading and there is an natd available but it works with firewalld. My current conf for pf is as below:

Code: 
##################################################
# Firewall (PF) by Airost made on 27/04/2022     #
##################################################

##############################
# Makra i tabele            #
##############################

lo_if="lo0"            #loopback
wan_if="tun0"            #PlusNet
lan_if="bge1"            #LAN
lan_net="172.16.0.1/16"        #Siec LAN
my_ip="212.159.22.253"        #IP WAN
rockyvm="tap1"            #Rocky VM
win2012servervm="tap0"        #Windows 2012 Server VM
ubuntuvm="tap2"            #Ubuntu VM
win2022servervm="tap3"        #Windows 2022 Server VM


uzytkownicy="{        172.16.0.1,
            172.16.0.2,
            172.16.0.3,
            172.16.0.4,
            172.16.0.5,
            172.16.0.6,
            172.16.0.7,
            172.16.0.8,
            172.16.0.9,
            172.16.0.10,
            172.16.0.11,
            172.16.0.12,
            172.16.0.13,
            172.16.0.14,
            172.16.0.15,
            172.16.0.16,
            172.16.0.17,
            172.16.0.18,
            172.16.0.19,
            172.16.0.20,
            172.16.0.21,
            172.16.0.22,
            172.16.0.23,
            172.16.0.24,
            172.16.0.25,
            172.16.1.2,
            172.16.0.109,
            172.16.0.100,
            172.16.0.110,
            172.16.0.111,
            172.16.0.120,    
            172.16.0.121,    
            172.16.10.2,
            172.16.10.3    }"


virtual="{        10.0.0.1,
            10.0.0.2,
            10.0.0.3,
            10.0.0.4,
            10.0.0.10,
            10.0.0.20,
            10.0.0.100    }"

set loginterface $wan_if
set loginterface $lan_if

set optimization normal

##############################
# Normalizacja pakietow         #
##############################

scrub in all
scrub on $wan_if no-df

##############################
# AltQ - upload             #
##############################

altq on $wan_if cbq bandwidth 1Gb queue { std_out        \
                      accesspointac_out    \
                      airost_out        \
                      airostmobile_out    \
                      aszka_out        \
                      aszkamobile_out    \
                      aszkaipad_out        \
                      PS4_out        \
                      amazontv_out        \
                      bluray_out         \
                      nx6330_out        \
                      aszkamobile7plus_out    \
                      airostiphonese_out    \
                      vch_out        \
                      wch_out        \
                      annatanska_out    \
                      romantanski_out    \
                      morfinalaptop_out    \
                      accesspointn_out    \
                      airosteth_out        \
                      amazontveth_out    \
                      canonprinter_out    \
                      hpprinter_out        \
                      wwwserver_out     \
                      mailserver_out    \
                      gameserver_out }
queue std_out            bandwidth 30Mb cbq(default borrow red)
queue accesspointac_out        bandwidth 300Mb cbq(borrow red)
queue airost_out        bandwidth 10Mb  cbq(red)
queue airostmobile_out        bandwidth 1Mb  cbq(red)
queue aszka_out            bandwidth 5Mb cbq(red)
queue aszkamobile_out        bandwidth 1Mb  cbq(red)
queue aszkaipad_out        bandwidth 1Mb  cbq(red)
queue PS4_out            bandwidth 1Mb  cbq(red)
queue amazontv_out        bandwidth 1Mb  cbq(red)
queue bluray_out        bandwidth 1Mb  cbq(red)
queue nx6330_out        bandwidth 1Mb  cbq(red)
queue aszkamobile7plus_out    bandwidth 1Mb  cbq(red)
queue airostiphonese_out    bandwidth 1Mb  cbq(red)
queue vch_out            bandwidth 1Mb  cbq(red)
queue wch_out            bandwidth 1Mb  cbq(red)
queue annatanska_out        bandwidth 1Mb  cbq(red)
queue romantanski_out        bandwidth 1Mb  cbq(red)
queue morfinalaptop_out        bandwidth 1Mb  cbq(red)
queue accesspointn_out          bandwidth 300Mb cbq(borrow red)
queue airosteth_out             bandwidth 10Mb  cbq(red)
queue amazontveth_out        bandwidth 1Mb  cbq(red)
queue canonprinter_out          bandwidth 1Mb  cbq(red)
queue hpprinter_out            bandwidth 1Mb  cbq(red)
queue wwwserver_out        bandwidth 10Mb cbq(borrow red)
queue mailserver_out         bandwidth 10Mb cbq(borrow red)
queue gameserver_out         bandwidth 10Mb cbq(borrow red)

##############################
# AltQ - download         #
##############################

altq on $lan_if cbq bandwidth 1Gb queue { std_in        \
                      accesspointac_in    \
                      airost_in        \
                      airostmobile_in    \
                      aszka_in        \
                      aszkamobile_in    \
                      aszkaipad_in        \
                      PS4_in        \
                      amazontv_in        \
                      bluray_in         \
                      nx6330_in        \
                      aszkamobile7plus_in    \
                      airostiphonese_in    \
                      vch_in        \
                      wch_in        \
                      annatanska_in        \
                      romantanski_in    \
                      morfinalaptop_in    \
                      accesspointn_in    \
                      airosteth_in        \
                      amazontveth_in    \
                      canonprinter_in    \
                      hpprinter_in        \
                      wwwserver_in         \
                      mailserver_in        \
                      gameserver_in }
queue std_in            bandwidth 78Mb cbq(default borrow red)
queue accesspointac_in        bandwidth 378Mb cbq(borrow red)
queue airost_in            bandwidth 30Mb cbq(borrow red)
queue airostmobile_in        bandwidth 5Mb  cbq(red)
queue aszka_in            bandwidth 20Mb cbq(borrow red)
queue aszkamobile_in        bandwidth 5Mb  cbq(red)
queue aszkaipad_in        bandwidth 5Mb  cbq(red)
queue PS4_in            bandwidth 10Mb cbq(borrow red)
queue amazontv_in        bandwidth 10Mb cbq(borrow red)
queue bluray_in            bandwidth 10Mb cbq(borrow red)
queue nx6330_in            bandwidth 10Mb cbq(borrow red)
queue aszkamobile7plus_in    bandwidth 5Mb  cbq(red)
queue airostiphonese_in        bandwidth 5Mb  cbq(red)
queue vch_in            bandwidth 5Mb  cbq(red)
queue wch_in            bandwidth 5Mb  cbq(borrow red)
queue annatanska_in        bandwidth 5Mb  cbq(red)
queue romantanski_in        bandwidth 5Mb  cbq(red)
queue morfinalaptop_in        bandwidth 5Mb  cbq(red)
queue accesspointn_in           bandwidth 78Mb cbq(borrow red)
queue airosteth_in              bandwidth 30Mb cbq(borrow red)
queue amazontveth_in        bandwidth 10Mb cbq(red)
queue canonprinter_in           bandwidth 1Mb  cbq(red)
queue hpprinter_in              bandwidth 1Mb  cbq(red)
queue wwwserver_in        bandwidth 10Mb cbq(borrow red)
queue mailserver_in          bandwidth 10Mb cbq(borrow red)
queue gameserver_in          bandwidth 10Mb cbq(borrow red)

##############################
# NAT -> LAN             #
##############################
nat on $wan_if from $uzytkownicy to any -> ($wan_if)
nat on $wan_if from $lan_if to any -> ($wan_if)

nat on $wan_if from $rockyvm to any -> ($wan_if)
nat on $wan_if from $win2012servervm to any -> ($wan_if)
nat on $wan_if from $ubuntuvm to any -> ($wan_if)
nat on $wan_if from $win2022servervm to any -> ($wan_if)

nat on $wan_if from $virtual to any -> ($wan_if)

#nat on $lan_if inet from ! ($lan_if) to any -> ($lan_if) 
##############################
# Redirect LAN -> WAN         #
##############################
rdr-anchor miniupnpd

#Serwer Steam [Rocky VM]
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443} -> 10.0.0.2
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27015, 27016, 7777 }  -> 10.0.0.2
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27005, 27020, 51840 }  -> 10.0.0.2
#Serwer Steam [Rocky VM] Don't Starve Together
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 8768, 11000, 27018 } -> 10.0.0.2
#Serwer TeamSpeak [Rocky VM]
rdr pass on $wan_if proto {tcp, udp} from any to any port 9987 -> 10.0.0.2 port 9987
rdr pass on $wan_if proto {tcp, udp} from any to any port 10011 -> 10.0.0.2 port 10011
rdr pass on $wan_if proto {tcp, udp} from any to any port 30033 -> 10.0.0.2 port 30033
#Shell Access [Rocky VM]
rdr pass on $wan_if proto {tcp, udp} from any to any port 2281 -> 10.0.0.2 port 2281
rdr pass on $wan_if proto {tcp, udp} from any to any port 9090 -> 10.0.0.2 port 9090
#Serwer HTTP
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443} -> 10.0.0.3

#Battle.net
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 6112  -> 172.16.0.3 port 6112

#Far Cry 3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9000:9010 }  -> 172.16.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 10009:10010 }  -> 172.16.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 13000:13200 }  -> 172.16.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 14000:14010 }  -> 172.16.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 21000:22000 }  -> 172.16.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 3074  -> 172.16.0.3




##### Dziala na hoscie
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 10011, 30033 } -> 212.159.22.253

#Minecraft Server
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 25565 -> 212.159.22.253 port 25565

##############################
# Firewall             #
##############################

pass out all
pass in all

##############################
# AltQ - uzytkownicy         #
##############################

pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)

#pass in on $lan_if route-to ($wan_if $my_ip) from any to $my_ip

##############################
# Tagowanie pakietow LAN     #
##############################

pass in on $lan_if from 172.16.0.1 to any tag server            keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspointac        keep state
pass in on $lan_if from 172.16.0.3 to any tag airost            keep state
pass in on $lan_if from 172.16.0.4 to any tag airostmobile        keep state
pass in on $lan_if from 172.16.0.5 to any tag aszka            keep state
pass in on $lan_if from 172.16.0.6 to any tag aszkamobile        keep state
pass in on $lan_if from 172.16.0.7 to any tag aszkaipad            keep state
pass in on $lan_if from 172.16.0.8 to any tag PS4            keep state
pass in on $lan_if from 172.16.0.9 to any tag amazontv            keep state
pass in on $lan_if from 172.16.0.10 to any tag bluray            keep state
pass in on $lan_if from 172.16.0.11 to any tag nx6330               keep state
pass in on $lan_if from 172.16.0.12 to any tag aszkamobile7plus        keep state
pass in on $lan_if from 172.16.0.13 to any tag airostiphonese        keep state
pass in on $lan_if from 172.16.0.21 to any tag vch            keep state
pass in on $lan_if from 172.16.0.22 to any tag wch            keep state
pass in on $lan_if from 172.16.0.23 to any tag annatanska        keep state
pass in on $lan_if from 172.16.0.24 to any tag romantanski        keep state
pass in on $lan_if from 172.16.0.25 to any tag morinalaptop        keep state
pass in on $lan_if from 172.16.1.2 to any tag accesspointn              keep state
pass in on $lan_if from 172.16.0.100 to any tag airosteth               keep state
pass in on $lan_if from 172.16.0.109 to any tag amazontveth        keep state
pass in on $lan_if from 172.16.0.110 to any tag canonprinter            keep state
pass in on $lan_if from 172.16.0.111 to any tag hpprinter            keep state
pass in on $lan_if from 10.0.0.1 to any tag wwwserver            keep state
pass in on $lan_if from 10.0.0.2 to any tag mailserver            keep state
pass in on $lan_if from 172.16.10.2 to any tag gameserver        keep state

##############################
# AltQ - Upload             #
##############################

pass out on $wan_if all tagged server            keep state queue server_out
pass out on $wan_if all tagged accesspointac        keep state queue accesspointac_out
pass out on $wan_if all tagged airost            keep state queue airost_out
pass out on $wan_if all tagged airostmobile        keep state queue airostmobile_out
pass out on $wan_if all tagged aszka            keep state queue aszka_out
pass out on $wan_if all tagged aszkamobile        keep state queue aszkamobile_out
pass out on $wan_if all tagged aszkaipad        keep state queue aszkaipad_out
pass out on $wan_if all tagged PS4            keep state queue PS4_out
pass out on $wan_if all tagged amazontv            keep state queue amazontv_out
pass out on $wan_if all tagged bluray            keep state queue bluray_out
pass out on $wan_if all tagged nx6330            keep state queue nx6330_out
pass out on $wan_if all tagged aszkamobile7plus        keep state queue aszkamobile7plus_out
pass out on $wan_if all tagged airostiphonese        keep state queue airostiphonese_out
pass out on $wan_if all tagged vch            keep state queue vch_out
pass out on $wan_if all tagged wch            keep state queue wch_out
pass out on $wan_if all tagged annatanska        keep state queue annatanska_out
pass out on $wan_if all tagged romantanski        keep state queue romantanski_out
pass out on $wan_if all tagged morfinalaptop        keep state queue morfinalaptop_out
pass out on $wan_if all tagged accesspointn             keep state queue accesspointn_out
pass out on $wan_if all tagged airosteth                keep state queue airosteth_out
pass out on $wan_if all tagged amazontveth        keep state queue amazontveth_out
pass out on $wan_if all tagged canonprinter             keep state queue canonprinter_out
pass out on $wan_if all tagged hpprinter            keep state queue hpprinter_out
pass out on $wan_if all tagged wwwserver        keep state queue wwwserver_out
pass out on $wan_if all tagged mailserver        keep state queue mailserver_out
pass out on $wan_if all tagged gameserver        keep state queue gameserver_out


##############################
# AltQ - Download         #
##############################

pass in on $lan_if all tagged server            keep state queue server_in
pass in on $lan_if all tagged accesspointac        keep state queue accesspointac_in
pass in on $lan_if all tagged airost            keep state queue airost_in
pass in on $lan_if all tagged airostmobile        keep state queue airostmobile_in
pass in on $lan_if all tagged aszka            keep state queue aszka_in
pass in on $lan_if all tagged aszkamobile        keep state queue aszkamobile_in
pass in on $lan_if all tagged aszkaipad            keep state queue aszkaipad_in
pass in on $lan_if all tagged PS4            keep state queue PS4_in
pass in on $lan_if all tagged amazontv            keep state queue amazontv_in
pass in on $lan_if all tagged bluray            keep state queue bluray_in
pass in on $lan_if all tagged nx6330            keep state queue nx6330_in
pass in on $lan_if all tagged aszkamobile7plus        keep state queue aszkamobile7plus_in
pass in on $lan_if all tagged airostiphone        keep state queue airostiphonese_in
pass in on $lan_if all tagged vch_out            keep state queue vch_in
pass in on $lan_if all tagged wch_out            keep state queue wch_in
pass in on $lan_if all tagged annatanska        keep state queue annatanka_in
pass in on $lan_if all tagged romantanski        keep state queue romantanski_in
pass in on $lan_if all tagged morfinalaptop        keep state queue morfinalaptop_in
pass in on $lan_if all tagged accesspointn              keep state queue accesspointn_in
pass in on $lan_if all tagged airosteth                 keep state queue airosteth_in
pass in on $lan_if all tagged amazontveth        keep state queue amazontveth_in
pass in on $lan_if all tagged canonprinter              keep state queue canonprinter_in
pass in on $lan_if all tagged hpprinter                   keep state queue hpprinter_in
pass in on $lan_if all tagged wwwserver            keep state queue wwwserver_in
pass in on $lan_if all tagged mailserver             keep state queue mailserver_in
pass in on $lan_if all tagged gameserver             keep state queue gameserver_in

##############################
# Blokada portow         #
##############################

block in log quick on $wan_if proto tcp from any to any port = 135
block in log quick on $wan_if proto tcp from any to any port = 136
block in log quick on $wan_if proto tcp from any to any port = 137
block in log quick on $wan_if proto tcp from any to any port = 138
block in log quick on $wan_if proto tcp from any to any port = 139
block in log quick on $wan_if proto tcp from any to any port = 445
block in log quick on $wan_if proto tcp from any to any port = 593
block in log quick on $wan_if proto tcp from any to any port = 1024
block in log quick on $wan_if proto tcp from any to any port = 1025
block in log quick on $wan_if proto tcp from any to any port = 1026
block in log quick on $wan_if proto tcp from any to any port = 1027
block in log quick on $wan_if proto tcp from any to any port = 1028
block in log quick on $wan_if proto tcp from any to any port = 1029
block in log quick on $wan_if proto tcp from any to any port = 1030

block in log quick on $lan_if proto tcp from any to any port = 135
block in log quick on $lan_if proto tcp from any to any port = 136
block in log quick on $lan_if proto tcp from any to any port = 137
block in log quick on $lan_if proto tcp from any to any port = 138
block in log quick on $lan_if proto tcp from any to any port = 139
block in log quick on $lan_if proto tcp from any to any port = 445
block in log quick on $lan_if proto tcp from any to any port = 593
block in log quick on $lan_if proto tcp from any to any port = 1024
block in log quick on $lan_if proto tcp from any to any port = 1025
block in log quick on $lan_if proto tcp from any to any port = 1026
block in log quick on $lan_if proto tcp from any to any port = 1027
block in log quick on $lan_if proto tcp from any to any port = 1028
block in log quick on $lan_if proto tcp from any to any port = 1029
block in log quick on $lan_if proto tcp from any to any port = 1030
Basically I would like to visit my website inside local network using my external (public) IP address
 
VladiBG thanks for your reply, would you be able to provide me any tip how to set it up? I tried unbound following calomel tutorial I found online but no success.
 
I'm not using unbound and my last BIND setup was more than 10 years ago so the following info may not be 100% accurate.

You need to use unbound from the pkg or ports. Do not use the local included unbound (local-unbound) as it's striped version which can't hold/serve local zone.

Install unbound with your preferred method pkg or ports (do not mix pkg with ports as the pkg are behind on lib dependencies and will conflict with the more up to date ports versions)
pkg install unbound
OR if you are using ports
cd /usr/ports/dns/unbound/ && make install clean

Create custom configuration directory
mkdir /usr/local/etc/unbound/conf.d/

Create custom forwarding servers. For best results use the closest DNS server from your ISP in the example i will put a public google DNS servers and my local router DNS.

/usr/local/etc/unbound/conf.d/forward.conf
Code: 
forward-zone:
        name: .
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4
        forward-addr: 192.168.100.1

Create a custom local-zone config where you can create a Split-horizon DNS record for your public zone using the "transparent" type which will return the local data for the given host and if there's no match it will lookup the forwarder DNS for the rest. For example creating of a "fake" host "router.google.com" pointing to the local IP address 192.168.100.1

/usr/local/etc/unbound/conf.d/local-zone.conf
Code: 
server:
        local-zone: "home.local." static
        local-data: "router.home.local.  IN A 192.168.100.1"
        local-data: "www.home.local.     IN A 192.168.100.124"
        local-data: "bsd.home.local.     IN A 192.168.100.124"
        local-data-ptr: "192.168.100.1   router.home.local"
        local-data-ptr: "192.168.100.124 www.home.local"
 
        local-zone: "google.com." transparent
        local-data: "router.google.com.  A 192.168.100.1"
Here's the example configuration file for unbound where you should edit the following:

num-threads equal cpu cores
*slabs equal n*2 threads
edit your listen interface IP it should listen only to your Internal LAN network (in your case interface: 172.16.0.1 or your local server ip address) and you also need to listen on localhost address 127.0.0.1 because the default nameserver in /etc/resolv.conf will point to it.

/usr/local/etc/unbound/unbound.conf
Code: 
server:
        verbosity: 1
        num-threads: 4
        interface: 192.168.100.124
        interface: 127.0.0.1
        port: 53
        msg-cache-size: 128m
        msg-cache-slabs: 8
        rrset-cache-size: 256m
        rrset-cache-slabs: 8
        cache-min-ttl: 3600
        cache-max-ttl: 86400
        infra-cache-slabs: 8
        access-control: 127.0.0.0/8 allow
        access-control: 10.0.0.0/8 allow
        access-control: 192.168.0.0/16 allow
        access-control: 172.16.0.0/12 allow
        root-hints: "/usr/local/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        use-caps-for-id: yes
        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        unwanted-reply-threshold: 10000
        prefetch: yes
        auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        val-clean-additional: yes
        key-cache-slabs: 8
python:

dynlib:

remote-control:

include: /usr/local/etc/unbound/conf.d/*.conf

Download actual root.hints file. It's good idea to update this file at least once per year. It's used when you are not using forwarders or they are down. If you don't have root CA (ca_root_nss) you can ignore SSL with "--no-verify-peer"
cd /usr/local/etc/unbound/
fetch https://www.internic.net/domain/named.cache

Edit your resolv.conf and point it to your local unbound server
/etc/resolv.conf
# Generated by resolvconf
search home.local
#nameserver 8.8.8.8
#nameserver 8.8.4.4
#nameserver 192.168.100.1

nameserver 127.0.0.1
options edns0
Click to expand...

Enable the unbound service in /etc/rc.conf
sysrc unbound_enable="yes"

If you previously had local_unbound disable it
sysrc local_unbound_enable="NO"

Start the unbound
cd /usr/local/etc/rc.d/
./unbound start
OR
service unbound start

create resolvconf.conf to prevent updating of /etc/resolv.conf

/etc/resolvconf.conf
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
unbound_conf="/usr/local/etc/unbound/conf.d/forward.conf"
unbound_pid="/usr/local/etc/unbound/unbound.pid"
unbound_service="unbound"
unbound_restart="service unbound reload"
Click to expand...

restart resolv
service resolv start

Test using ping or host
% host router
router.home.local has address 192.168.100.1

% ping router.google.com
PING router.google.com (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=0.616 ms

% ping www.google.com
PING www.google.com (172.217.17.100): 56 data bytes
64 bytes from 172.217.17.100: icmp_seq=0 ttl=3 time=9.811 ms
Click to expand...

If there's issue with your unbound config and you can't start it you can manually edit the nameserver in /etc/resolv.conf and point it back to your ISP DNS so you can have internet on your server untill you fix the unbound.

After you verify that unbound is working you can set your client's computer in your LAN to use your DNS server. Do not forget to clear they DNS cache.
 
Right, thank you for your reply. I hope you will have a lovely Christmas time with your family.

Following your tutorial I changed in unbound.conf IP address interface: 192.168.100.124 to interface: 0.0.0.0 otherwise I couldn't start unbound (It couldn't open port 53 for some reason). Now I have unbound up and running, changed in local machine DNS from 8.8.8.8 to 172.16.0.1 and still wouldn't connect to teamspeak using domain nor public IP address where from outside local network it works fine. Using 172.16.0.1 as DNS my website such as google.com etc. works so I believe unbound does the job but no split DNS

I wonder if this is correct:
/usr/local/etc/unbound/conf.d/local-zone.conf
My local network is using 172.16.0.0/16.
Address 192.168.1.100 is used on other network interface only to connect to modem for PPPoE connection
And I am also using network 10.0.0.0/8 for Virtual Machines
 
If it can't open port 53 then you have another service listening on that port which you need to stop first. Probably its local_unbound.

If your server have multiple interfaces you can add them like this
interface: 127.0.0.1
interface: 172.16.0.1
interface: 10.0.0.1
Click to expand...

restart the unbound then verify it it listen on those ip addresses using
netstat -an4
or
sockstat -4 | grep 53
 
unbound working fine, but still access anything from local network via public IP address, any idea why?
I am not sure what this files should be like:

/usr/local/etc/unbound/conf.d/forward.conf
/usr/local/etc/unbound/conf.d/local-zone.conf

So I trust you. Both files have nothing about 10.0.0.0/8 and 172.16.0.0/16, is that how it should be?
 
In /usr/local/etc/unbound/conf.d/forward.conf you put your ISP DNS server or some other public accessible DNS like 8.8.8.8
In /usr/local/etc/unbound/conf.d/local-zone.conf you should put your local hosts IP addresses for example if you have local web server with IP address 10.0.0.2 which you want to be accessed on www.mydomain.com you create the following record

local-zone: "mydomain.com." transparent
local-data: "www.mydomain.com. A 10.0.0.2"

So when you make a lookup for www.mydomain.com it will resolve it to 10.0.0.2
For private zone if you want to access your other hosts you can use the following top level domains which are reserved for this:
.local
.localdomain
.domain
.lan
.home
.host
.corp
.example
.invalid
 
I have still no luck. I was hoping I will sort it out before Christmas, once for all. Everybody was telling me different solution and none of them work. I was told if I add line in /etc/hosts it will fix it. I've done it and now I can ping my public IP address from local network (so it's visible), next person told me I need NAT reflection in order to access public IP from local network, couldn't find a tutorial that would work so I came back here to ask. You told me I need Split DNS, got it exactly as you guided me and still nothing.
When I used command drill I get following output:

root@ldrive:/home/airost # drill mclose.co.uk
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57529
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; mclose.co.uk. IN A

;; ANSWER SECTION:
mclose.co.uk. 20901 IN A 212.159.22.253

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Dec 23 19:19:39 2022
;; MSG SIZE rcvd: 46

And from VM machine running linux when I use:

nslookup mclose.co.uk
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: mclose.co.uk
Address: 212.159.22.253

Same machine:

ping mclose.co.uk
PING mclose.co.uk (212.159.22.253) 56(84) bytes of data.
64 bytes from joannapuz.plus.com (212.159.22.253): icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from joannapuz.plus.com (212.159.22.253): icmp_seq=2 ttl=64 time=0.157 ms
64 bytes from joannapuz.plus.com (212.159.22.253): icmp_seq=3 ttl=64 time=0.190 ms
64 bytes from joannapuz.plus.com (212.159.22.253): icmp_seq=4 ttl=64 time=0.112 ms
^C
--- mclose.co.uk ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3009ms
rtt min/avg/max/mdev = 0.062/0.130/0.190/0.048 ms


Unbound is working, what's my next step? I've used all my ideas and advises from other people. By the way thank you for your patience to me and my case
 
You are using the public DNS 8.8.8.8 not your local unbound DNS.

If your local DNS (unbound) is on 172.16.0.1 you can try nslookup mclose.co.uk 172.16.0.1 this will query 172.16.0.1 for the mclose.co.uk hostname which should be set in local-zone.conf
 
Hurray! I managed to get it to work.
In /usr/local/etc/unbound/conf.d/local-zone.conf
I fixed it by having it as follow:

server:
local-zone: "home.local." static
local-data: "router.home.local. IN A 192.168.100.1"
local-data: "www.home.local. IN A 192.168.100.124"
local-data: "bsd.home.local. IN A 192.168.100.124"
local-data: "mclose.co.uk. IN A 10.0.0.2"
local-data-ptr: "192.168.100.1 router.home.local"
local-data-ptr: "192.168.100.124 www.home.local"
local-data-ptr: "10.0.0.2 mclose.co.uk"

local-zone: "google.com." transparent
local-data: "router.google.com. A 192.168.100.1"

From what I understand local-data means like declaration of domain IN A (DNS A record) then there is an IP address followed by local-data-ptr which is like pointer. Not sure if I understand it correctly but it works! I was trying to fix it for over a year and I gave up! VladiBG весела коледа, Благодаря много!
 
Merry Christmas!

You need to remove the other records they were just an example.
The website is usually accessed on the "www" host not on the domain itself. So it's better to make it like this:

server:
local-zone: "mclose.co.uk." transparent
local-data: "www.mclose.co.uk. A 10.0.0.2"
Click to expand...

all other DNS records will be resolved via your public DNS server and only the "www" record will be resolved from the local DNS.
 
You must log in or register to reply here.
Back
Top