On 2021-11-12 10:50, brad via WLUG wrote:
However android and iOS do not appear to honer my local dns server — I’m not sure why — so they resolve the address to a routable IP and connect from within the private 192.168.1.0 subnet. My firewall sees this and drops it b/c it is a non-routable IP address connecting to the external interface. (I got this info by running tcpdump and watching traffic).
Has anyone attempted something similar? Is there something I’m overlooking? (Probably)
Yeah, you're not missing anything - mobile devices are just sortof a PITA. Throw in a work device which tunnels all DNS over VPN and it turns in to a real headache. If you can't seem to get the phones to obey (blocking external DNS or re-directing it *might* work), you may have to resort to NAT reflection. It's working OK for me on pfSense. Unfortunately, all traffic ends up going through the firewall, but the performance hit probably isn't too critical for most things. Here's docs for doing this in pfSense, other "real" routers should have a similar functionality: https://docs.netgate.com/pfsense/en/latest/nat/reflection.html