From edfdb203a01622fa21925444669fe3a8f35221c7 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Tue, 20 Jun 2023 10:59:16 -0400
Subject: [PATCH] Only NAT internal DNS requests.

---
 ansible/roles/firewall/files/mrmanager_pf.conf | 6 +++---
 ansible/roles/public_dns/files/master.db       | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf
index 350a3a8..7787a95 100644
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -30,9 +30,9 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 6
 # nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
 # nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0)
 
-rdr pass inet proto {tcp, udp} from any to ($ext_if) port 53 -> 10.215.1.211 port 53
-nat pass on jail_nat proto {tcp, udp} from { 10.215.1.0/24, !10.215.1.1 } to 10.215.1.211 -> (jail_nat)
-
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
+rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
+nat pass proto {tcp, udp} tagged REDIRINTERNAL -> (jail_nat)
 
 # filtering
 block log all
diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db
index fb3728a..7f017ce 100644
--- a/ansible/roles/public_dns/files/master.db
+++ b/ansible/roles/public_dns/files/master.db
@@ -67,3 +67,6 @@ _carddavs._tcp IN SRV 0 1 443 carddav.fastmail.com
 
 _caldav._tcp IN SRV 0 0 0 .
 _caldavs._tcp IN SRV 0 1 443 caldav.fastmail.com
+
+home     IN A     68.197.252.22
+opstunnel IN CNAME home.fizz.buzz.