Nebula (Firewall)- Set DNS Server on a Remote VPN Site

This article will show how to configure a DNS server on a remote VPN in Nebula Cloud Center (NCC). Maybe you have specific resources on a local domain in your headquarter firewall and want to reach them from the remote sites (branches). Then you need to configure the DNS Domain Zone Forwarder and test with NSLookup.

 

Disclaimer! This might not work 100% of the time, this all depends on the type of scenario and configuration beyond the firewall.  

 

Topology:

 

1) Configure "This Gateway" as the DNS server for the Branch Firewall

Make sure the DNS server is located on the same remote subnet as the VPN remote subnet.

Start with setting the DNS server to "this gateway" as the first DNS server on LAN.

Navigate to

Site-wide > Configure > Firewall > Interface

This is because the DNS requests will go to the firewall, and then the firewall has to take care of that DNS request, and in the next step, you will configure where the firewall should forward such DNS requests (Domain Zone Forwarder).


2) Configure the DNS server in the firewall settings

Navigate to Firewall -> Configure -> Firewall Settings and add a new Domain Zone Forwarder to forward the domain to the DNS server through the VPN through the already automatically configured "auto" interface and hit "save".

Navigate to: 

Site-wide > Configure > Firewall > Firewall Settings

 

3) Test the Result

Run NSlookup on a PC connected to the Branch LAN to see if you can resolve the Domain name.

nslookup example.local

 

4) If something goes wrong

If you cannot resolve your DNS server with nslookup, you could try this below.

 

a) Create a policy route

It could be that the DNS server is not in the correct remote subnet and therefore, needs to be manually routed with a policy route. 

mceclip3.png

Create a policy route, that routes the source subnet (lan1) to the destination where the DNS server is located and configure the next-hop to be the VPN tunnel.

b) Ping DNS Server

You can try to ping the DNS server from a client PC to see if you can even reach it from the local subnet

ping 172.10.10.12

If that doesn't work, try to ping it from the firewall to see if it's routed through the VPN tunnel. If it's not routed, try solution "a" to see if the policy route could help here.

c) Packet trace

If none of the above work, you can do a packet trace on the local firewall as well as the remote firewall. 
Either by capturing ESP packets on WAN (if there is no traffic in the tunnel), or in ICMP packets in local & remote lan. Look at this article on how you could capture packets on your firewall(s): 

Nebula Debugging - Port mirroring & Packet Capturing

Articles in this section

Was this article helpful?
0 out of 2 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.