Setting UP a Split DNS (was:Redirect Green to internal Green when it resolves to RED)

I’ve got some servers on my internal network that DNS resolves to RED. I’ve been trying to set up rules to get any internal traffic redirected back to the correct server, without using internal DNS, or host files.

I’ve tried this but I’m not seeing DMZ hosts at all.

Something like:
-s GREENNET -d REDIF --p tcp --dport 80 → 192.168.1.25(Green):80. I had this set up on my Smoothie, but this is eluding me on ipfire. Could someone point me in the right direction?

I currently have a rule to redirect from RED port 80 to 192.168.1.25(Green):80

Perhaps this will help

That’s starting to jog my memory…
I think this would work. Is there a way to make these entries from the GUI?

If you Do not have multiple external IPs.
A reverse proxy server is what you need if it is multiple machines
There are 2 in Pakfire

Hello @cryptomountain, welcome to our community.

From your message, I gather that you want LAN machines to be redirected to a server’s private IP address, rather than its public IP address, when the DNS is used. This is often achieved through a “Split DNS” setup. A Split DNS is a DNS configuration where a domain name server (DNS) is able to provide different IP addresses for a domain name depending on whether the request originates from inside or outside of a local network. This allows internal and external users to use the same domain name but be directed to different servers.

Here is how you can set it up using IPFire:

Step 1: Redirect All DNS Requests to Your ‘unbound’ DNS Cache Server on IPFire

• Go to Firewall Web User Interface (WUI).
• Create a rule with the following settings:
  • Source: green (or a group made of green and blue)
  • NAT: Enable “Destination NAT”
  • Firewall Interface: automatic
  • Destination: Firewall (all)
  • Protocol: preset, Service group DNS (Create a service group for TCP and UDP port 53).

Step 2: Set Up DNS Resolution for Private IPs
You have two options here:

Option A: Use an Internal DNS Server

• Set up an internal DNS server for resolving private IPs.
• In WUI, set up a DNS forward rule to point resolutions to your internal server.

Option B: Directly Serve Local IPs with ‘unbound’

• Set up your DHCP server with your authoritative domain.
• Assign your web server IP manually (outside the DHCP range) using the correct name (e.g., www) and the authoritative domain name. This eliminates the need for a “local domain.”

Split DNS and reverse Proxy

If you intend to redirect traffic to multiple services such as a Nextcloud instance and a website both hosted on separate servers within your LAN, using a reverse proxy in conjunction with Split DNS would be a good approach (as pointed out by @hvacguy).

To implement this, you would set up a reverse proxy server in your network. This server would be responsible for directing incoming traffic to the correct server based on the hostname used to access it. For example, it could direct traffic coming to “nextcloud.yourdomain.com” to your Nextcloud server and traffic coming to “www.yourdomain.com” to your web server.

In your Split DNS setup, you would then configure the DNS records for “nextcloud.yourdomain.com” and “www.yourdomain.com” to point to the IP address of your reverse proxy server. This way, when users inside your network access these hostnames, the DNS server would direct them to your reverse proxy, which would then forward them to the correct server within your network.

To summarize, your setup would look something like this:

1. Set up a reverse proxy server in your network (or even in IPFire itself by installing HAProxy or Nginx).
2. Configure your Split DNS system to point “nextcloud.yourdomain.com” and “www.yourdomain.com” to the IP address of your reverse proxy server.
3. Configure the reverse proxy server to forward traffic based on hostnames to the correct servers in your network.

I hope this setup is what you were searching. Do not hesitate to follow up with your comments in this thread if you have more questions or if I misunderstood your request.