pfsense, dnsmasq & source interfaces
I’m having issues with dnsmasq on my pfsense router being unable to contact an overridden nameserver because they’re not being sourced from an interface that has an ipsec policy. For example, I have the following config:
Main Office Router A:
LAN address: 192.168.1.1/24
WAN address: 24.1.2.3
Remote Office Router B:
LAN address: 192.168.2.1/24
WAN address: 64.1.2.3
The two sites are connected by an ipsec tunnel. My internal nameserver serving the domain “company.local” is at 192.168.1.10.
Since the remote office is on the other side of the world, I want to use the ISP nameservers for internet resolution, but send all resolutions for company.local through the tunnel to 192.168.1.10.
When dnsmasq sends the packet to 192.168.1.10, however, it uses the default route and sends the packet out of the WAN interface and not through the tunnel. My first thought was to instruct dnsmasq to use the LAN interface as its source address, such as:
/usr/local/sbin/dnsmasq -l /var/dhcpd/var/db/dhcpd.leases -s remote.company.local –server=/company.local/192.168.1.10@192.168.2.1
Indeed that works, but web UI doesn’t allow for that sort of syntax, afaik.
Failing that, I tried adding a bogus route on Router B in hopes that the packet will be redirected through the ipsec tunnel before actually being transmitted on the LAN interface. I added a static route for 192.168.1.10/32 to the gateway 192.168.1.1. This appears to work, so my problem is resolved for now. It doesn’t seem to be a particularly elegant solution, however.
tech stuff. 
I edited services_dnsmasq_domainoverride_edit.php which I found in /usr/local/www.
In version 2.0RC1 at line 72 you find:
if ($_POST[‘ip’] && !is_ipaddr($_POST[‘ip’]) && ($_POST[‘ip’] != ‘#’)) {
$input_errors[] = gettext(“A valid IP address must be specified, or # for an exclusion.”);
}
I just commented this out. This then allows you to add entries like 192.168.1.10@192.168.2.1 in the IP address field on the override page.
Hugh Blandford
2011-03-11 at 06:46