2 subnets 1 DNS

No, this is not the start of a bad joke! :speak_no_evil:

I have a network I use for a few different purposes. In this network I need one subnet for straight ISP traffic (192.168.0.0), another subnet for privacy VPN like PIA (192.168.1.0), and a few other subnets for testing stuff. I used this guide, but I think it’s very similar to your YouTube video.

I currently run an ISP router without DHCP at 192.168.0.1 with static assignments for any servers or systems that need it. I then have PFSense running on 192.168.1.1 offering DHCP for anything else I want to run over the anonymizing VPN. Finally I have virtual IPs set up for other subnets as needed. No VLANs, no reason for them since there are no privacy or security concerns whatsoever on the LAN.

As you can see DHCP and DNS currently run through PFSense for the most commonly used subnet (192.168.0.1).

I would like to, if possible, figure out a way to also run DNS for the other subnets so that anything on 192.168.0.0 and 192.168.1.0 (or other virtual IP subnets) can have DNS point to 192.168.1.1 (PFSense) for name resolution and then still resolve properly for systems on both 192.168.0.0 and 192.168.1.1 (or others).

A bonus would be if I could somehow use DHCP from PFSense at 192.168.1.1 to assign IP addresses on any of these subnets when appropriate, but assign the gateway to either 192.168.1.1 or 192.168.0.1 depending if I want privacy I want for the device.

Is any of this possible and if so what do I need to look at to make this work?

I’m also open to other options if anyone has a suggestion to simplify this! :heart::heart::heart::heart:

Isn’t it just easier to get rid of your ISP router and let PfSense do your DHCP and DNS ?

Maybe, but I guess I have to figure out how to route the ISP traffic on through. Is it possible to set up PFSense so that I could have 2 IP addresses such that 192.168.0.1 is for VPN traffic and 192.168.0.254 is direct to the ISP WAN port?

Then there could be a single DNS setup I guess that just always goes over the VPN, but maybe it shouldn’t? Not sure about this either.

There may well be a way, however, I doubt you can be completely sure that the IP traffic will always go through the VPN, i.e. how could a kill switch work in this scenario (I’ve got no idea).

For sure if you have one DNS server, the VPN will have a DNS leak if it has to go outside of the tunnel to resolve. I use AirVPN and their DNS server so I can be certain there is no DNS leak.

Setting up vLANs for VPN traffic is much easier, or maybe just use a VPN client on your host.