Webserver SSL is not private (How to set)
-
Hmm, I would check again. Try filtering by6 the client IP you're testing from. The firewall logs indicate it's passing traffic and NATing it and that will create a state.
The states may get closed almost immediately though if the load-balancer (which I assume is at 192.168.2.46) is refusing them.A pcap on LAN would confirm that.
-
@carrzkiss said in Webserver SSL is not private (How to set):
but being stopped on the ServerSide
Probably.
That said I just spent an absurd amount of time setting up a VLAN on a working-network switch replacement...devices could resolve DNS using pfSense [22.01, need to upgrade] and states were opening out the WAN but no traffic flowed from the VLAN until we restarted pfSense. ٩(͡๏̯͡๏)۶ Haven't seen that before. -
@steveits
I just checked on a video for HAproxy
It seems to me that the HAproxy is used for multiple Servers.
In my case, I do have multiple servers, but only ONE IP Address is used for all Gateways into the Actual Web Servers themselves.
UNLESS the HAproxy is used for Multiple Web Sites???
If that is the case, I will look into setting it up and testing it later this evening.
The SSL Cert is a Wildcard Cert, the same type I've used for 4 years now through LetsEncrypt.
I have 8 Domains, and they are all on the same Cert with my primary web domain as the holder.There are 4 ARR Servers on the load balance using .46
If ARR1 is used, ARR2 is used, and so on.The Port Forwarding would seem to be the most likely one for my setup, but I will let you all tell me otherwise.
-
@carrzkiss Port forward seems like what you want. People do occasionally post here asking to forward port 443 to one server for example.com and another for example.net which doesn't work without something proxying that by hostname.
If you forward directly to one web server IP instead of the load balancer does it work? If so, then it would be a load balancer issue.
Check a packet capture and the states as noted above.
-
If the load-balancer is at .46 and is proxying or forwarding traffic from there to other internal servers it should work. HAProxy would replace any existing load-balancer.
You might be seeing some asymmetric routing depending on how the load-balancer is handling that traffic. I would expect to see some blocked traffic on LAN in the firewall log if that's the case though.
You might also be seeing this: https://docs.netgate.com/pfsense/en/latest/install/upgrade-before-2.2.html#microsoft-load-balancing-open-mesh-traffic
If the load-balancer is using a multicast MAC address you'd need to set that tunable.Steve
-
@steveits
I just checked something.
On one of the ARR Servers, I did a ping.
Google - works
Microsoft - Request Timed Out.So, it seems the servers are not getting into the world.
And if they are not getting out, and nothing is coming in, that would explain why there is no connection.
I also found in System / General
DNS Server Settings.
I am unsure if I did this right or not.
I added in the DNS Server I run (WAN IP Address)
Along with the 3-pointer DNS Servers that point records for us as well.
But none of that seemed to change anything. -
@stephenw10
I am getting someplace now. Thank you.
Adding the
Tunable: net.link.ether.inet.allow_multicast
Value: 1
It was what was needed.I was able to pull the site up.
The SSL is giving an error again. (the connection if not private)
And I have to figure out how to get the SQL Server to work, but at least I am getting something. -
Adding DNS servers there only does anything for queries from pfSense itself unless the resolver is in forwarding mode.
Are those web servers using their own IPs to send pings or is everything going via the load-balancer IP?
Definitely check that multicast MAC issue if it's the latter.Steve
-
@stephenw10
All web servers go through the ARR Server(s), as that is the only IP Address I have listed for allowing passage through the Firewall. (Set up the same way I had it through the other Router.)-- Definitely check that multicast MAC issue if it's the latter.
What exactly do I need to check in on this?
-
Update
Just did a check on https://www.yougetsignal.com/tools/open-ports/
And it shows that Port 80 and 443 are both OPEN.The following areas had to be updated with the new Network information. (When you design something and leave it for a few years, you kind of forget about it)
Microsoft Failover Cluster for SQL Server
Two IP Addresses had to have their subnets changed over.
And that got the SQL Server running.However, since getting that going, which got rid of the SQL Server error, I am once again faced with the
The site can't be reached.
I removed all the DNS IP Address entries I listed prior.
And rebooted PFSense.
And the sites are all still down. -
OK.
I can view my websites locally, which is great, using their domains.
port forwards from local networksStill cannot view them outside of the firewall.
And I also am having an issue with the SSL certs.
It seems the ones created through PFSense are not going to work.
So, I will look at something else and see what I can learn about using the PFSense method to create Web Server IIS Certs. -
@carrzkiss
Can you be more clear about the issue with the certs? Does it work from inside with https? -
So what error do you get when you try to connect now externally?
Do you see states in the firewall?
-
Everything is now LIVE.
When I was out, I decided to try the site(s) and see what I got while totally away from the office, and I got the site but with a non-working SSL. OK, Good.
So, when I got back to the office just a few minutes ago, I grabbed the SSL cert I had installed the other day before creating the SSL through PFSense, and everything is working.
All sites are LIVE in front and behind PFSense.Thank you, everyone, for all the help.
Have to say this community absolutely ROCKS!!!!All the information to get the site(s) live was from this thread here, with the link(s) provided and the link(s) I provided.
So, if anyone has this same issue, all you have to do is follow everything from start to here, and you should be good to go.I've tried to notate everything I had to do, so I can write an article for our Knowledge Base site.
Love sharing and exchanging knowledge.
