Impossible to connect to db from internal host but ok from external
-
@MatDepInfo
If you use the host name to connect add a host override for both to you local DNS.The port forwardings are only applied to incoming packets on WAN.
-
@viragomann OK thanks, I add a line in /etc/resolv.conf and now it's working. But how to do port forwarding for LAN packets ?
-
@MatDepInfo said in Impossible to connect to db from internal host but ok from external:
I add a line in /etc/resolv.conf and now it's working.
I was expecting, that you run a local DNS service like the DNS Resolver on pfSense. This would be a great place to add host overrides.
But how to do port forwarding for LAN packets ?
It's the same as on WAN, just to select the LAN interface. But it won't work if either client and server are within the same network segment. In this case you would run into an asymmetric routing issue with a simple port forwarding rule. You would also need an outbound NAT rule to masquerading the concerned packets.
However, no need to do that. This is what NAT Reflection does with a simple check mark.You can enable NAT Reflection in the respective NAT rule on the WAN or globally for all NAT rules in System > Advanced > Firewall & NAT.
-
@viragomann I'm lost... On the 2 VM, I have Plesk (with DNS server). No problem to ping domain1.com (on VM1) and domain (on VM2) from external. But when I ping domain2 from VM01 or domain1 from VM2, it is said : Name or service not known. When I add name server 8.8.8.8 to resolve.conf, it is working. So the problem come from pfsense I think. I add port forwarding in Plesk rules for LAN01 and LAN02 but same problem. Any ideas ?
-
@MatDepInfo said in Impossible to connect to db from internal host but ok from external:
No problem to ping domain1.com (on VM1) and domain (on VM2) from external. But when I ping domain2 from VM01 or domain1 from VM2, it is said : Name or service not known. When I add name server 8.8.8.8 to resolve.conf, it is working. So the problem come from pfsense I think. I add port forwarding in Plesk rules for LAN01 and LAN02 but same problem. Any ideas ?
This behavior is expected if you're missing the masquerading as I mentioned above.
But anyway, why do you try forward the traffic at all??
The preferred method is using a local DNS and add the respective overrides to it.
Do you even run a local DNS?If not enable NAT reflection as I mentioned above.
-
@viragomann OK, I activate NAT reflexion to Pure Nat, and I can now use external ip from lan to other lan. Thanks ! But same problem for domain resolution. I use the PFSense DNS resolver and no problem to ping external site (google.com by example) from lan, but impossible to ping internal domain in another VM. Should I use PFsense DNS forwarder instead ?
-
@MatDepInfo
No, the DNS resolver is the preferred service.but impossible to ping internal domain in another VM.
Do you mean local domain names or public?
In any case you have to add host overrides to the DNS resolver.
Check with dig or nslookup that the host name is resolved properly. -
@viragomann I try to ping domain2.com (public domain) hosted in VM2 from VM1. So I mean public domain.
NSlookup or Dig domain2.com from VM1: ** server can't find domain2.com: SERVFAIL
In any case you have to add host overrides to the DNS resolver.Do you mean that I have to add manually in pfsense DNS Resolver ? In the PFsense DNS Resolver, I have already domain2.com to external IP of VM2.
-
@MatDepInfo said in Impossible to connect to db from internal host but ok from external:
NSlookup or Dig domain2.com from VM1: ** server can't find domain2.com: SERVFAIL
Is the requested server your pfSense?
Do you mean that I have to add manually in pfsense DNS Resolver ? In the PFsense DNS Resolver, I have already domain2.com to external IP of VM2.
You don't need a host override to the public IP at all. This makes no sense, it is configured in the public DNS anyway.
The DNS resolver is only provided to your internal devices and should resolve the public host name to the internal IP for them. -
@viragomann I have Plesk on the 2 VMs so each VM has its own DNS for its hosted sites. But PFsense DNS Resolver has the good ip answer so yes, pfSense should answer the good ip to the dig request
-
@viragomann any ideas ?
-
@MatDepInfo said in Impossible to connect to db from internal host but ok from external:
I have Plesk on the 2 VMs so each VM has its own DNS for its hosted sites
I'm wondering, what this means.
Each Plesk has it's own DNS server, which it is using?And I'm still missing responses to my questions.
-
@viragomann Maybe Plesk is not important because request from external computer works like a charm. I think the problem is like NAT reflexion but for DNS.
To resume, I can ping domain1 (resolve to x.x.x.x) and domain2 (y.y.y.y) from external network. But impossible to ping domain1 or domain2 from internal VM1 or VM2. It is said Name or service not known. In /etc/resolv.conf I have nameserver z.z.z.z whish is PFsense. If I had 8.8.8.8 to this file, no more problem. I don't understand why. -
@MatDepInfo said in Impossible to connect to db from internal host but ok from external:
But impossible to ping domain1 or domain2 from internal VM1 or VM2. It is said Name or service not known. In /etc/resolv.conf I have nameserver z.z.z.z whish is PFsense.
I expect, this is the internal private IP of pfSense. So no reason to hide it.
But which does the device really use for resolving names?
Does it show the pfSense IP in the server line?
If so, but you don't get back an A record, check if DNS access is allowed for the machines (TCP/UDP port 53).
And add the local network to the DNS Resolvers ACL list. Normally that's not needed, but do it to get sure.Are both VMs within the same network segment?
Maybe we can get closer if you provide more details about your network. -
@viragomann Yes the server in dig command is well pfSense IP (192.168.11.1 for VM01 in 192.168.11.0/24 subnet and 192.168.12.1 for VM02 in 192.168.12.0/24 subnet). So 2 differents network segment. DNS access is allowed in NAT for WAN interface, I can access to it from external PC. In rules, for LAN011 and LAN012 I have this so for me all port are allowed :
