NAT + DNS Resolver behavior
-
I ran into and "sort of" resolved an interesting problem which I don't completely understand. My SG-4860 finally died and I needed to replace it. Enter shiny new 6100. I was able to restore my old config NATs and Rules (with a few interface reassignments). I have a couple of public accessible https sites NAT'ed to a reverse proxy host as well as several internal LAN sites all managed by the DNS resolver on the 6100 . Before the firewall failure I was able to access my https sites from inside the network just fine. However after the config restore on the new firewall my LAN resolutions work fine but trying to get to my public facing sites return the Cert of the firewall instead of being forwarded to the proxy host. I discovered that this is because DNS is returning the WAN IP as the resolved IP (which is true outside the network) and from a work PC that hits external DNS first. To resolve I had to create a new NAT on my LAN to the WAN IP to forward ports 80 and 443 to the reverse proxy. Though this now works I don't think this really the proper way to deal with this situation. Can someone help explain why this is happening and if there is a more proper solution?
Thanks in advance.
-
@bcadwell is reflection enabled? It can be enabled for all rules, or per rule.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html
I would think it would have to be on for it to work on the old router… -
@SteveITS Thank you! It was not. One other thing I forgot was I had DNS over TLS and some off these settings weren't properly configured. (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html) with this properly configured even my work PC which tries to leverage a cooperate DNS server is forced back to my resolver (which properly resolves to my LAN address inside the network). At some point I will try your option which is also a great solution.
Thanks for your reply!
-b