Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host override & NAT

    Scheduled Pinned Locked Moved DHCP and DNS
    19 Posts 3 Posters 996 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Galactic Empire @Alek
      last edited by

      @Alek Using an internal IP does not break SSL/TLS as long as a valid cert matches the name. Unless you’re using a reverse proxy and no cert on the server?

      What does Diagnostics/DNS Lookup return? Does the host using curl have only pfSense for DNS?

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      A 1 Reply Last reply Reply Quote 0
      • A
        Alek @SteveITS
        last edited by

        @SteveITS
        I'm using Cloudflare tunnel as proxy. From WAN, I can access my webapp without problem.
        On a different vlan with pfsense as DNS only (Other DNS requests are blocked), I can ping the DNS name but can't access it via browser.

        A V 2 Replies Last reply Reply Quote 0
        • A
          Alek @Alek
          last edited by

          @Alek
          Tried without Cloudflare tunnel, 443 straight exposed and nated, same problem.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Alek
            last edited by

            @Alek If you're connecting to a CloudFlare IP that's not reflection; reflection would be using your WAN IP from inside pfSense.

            I honestly don't know, is CloudFlare usable if you're connecting from the target IP? Or do they block that assuming it will be a local connection?

            Is reflection enabled in the NAT rule? See:
            eea2c90e-a1bb-4397-830a-396ada0a1edf-image.png

            @Alek said in Host override & NAT:

            On a different vlan with pfsense as DNS only (Other DNS requests are blocked), I can ping the DNS name

            Windows in particular does not process DNS in order, it prefers the last-known-good one first. When you say ping works, it uses the pfSense WAN IP?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            A 1 Reply Last reply Reply Quote 0
            • V
              viragomann @Alek
              last edited by

              @Alek said in Host override & NAT:

              I'm using Cloudflare tunnel as proxy. From WAN, I can access my webapp without problem.

              So is your SSL certificate provided by Cloudflare?

              Does DNS resolve your domain to the same IP, when requesting from the internet and inside your network?

              1 Reply Last reply Reply Quote 0
              • A
                Alek @SteveITS
                last edited by

                @SteveITS
                I'm using direct connection on port 443 no proxy in front, no Cloudflare tunnel.Using A record to my public IP + Let's Encrypt.

                NAT reflection is activated :

                ff93aefe-b4da-4818-8d8f-8580a7e6ded6-image.png

                Tried via Debian, the DNS used is Pfsense :
                5b935dfb-eb64-445a-a50b-ebeed4ce780b-image.png

                When I ping my DNS name, it's working :

                ping vhost.ex.com -c 4
                PING vhost.ex.com (Public_IP) 56(84) bytes of data.
                64 bytes from vhost.ex.com (Public_IP): icmp_seq=1 ttl=64 time=0.399 ms
                64 bytes from vhost.ex.com (Public_IP): icmp_seq=2 ttl=64 time=0.604 ms
                64 bytes from vhost.ex.com (Public_IP): icmp_seq=3 ttl=64 time=0.519 ms
                64 bytes from vhost.ex.com (Public_IP): icmp_seq=4 ttl=64 time=0.499 ms
                
                --- vhost.ex.com ping statistics ---
                4 packets transmitted, 4 received, 0% packet loss, time 3005ms
                rtt min/avg/max/mdev = 0.399/0.505/0.604/0.072 ms
                

                From Debian, if I dig the webapp internal DNS name, I get :

                3b5dbcc2-972f-4ea5-90e3-00d7d5744dba-image.png

                From Debian, I can't ping the internal IP of my webapp :

                baa9d262-a40c-4370-9a05-4142d1806522-image.png

                Now if I curl the public DNS name I get :

                curl -vv -fsSl https://vhost.ex.com
                *   Trying Public_IP:443...
                * Failed to connect to vhost.ex.com port 443: Connection timed out
                * Closing connection 0
                curl: (28) Failed to connect to vhost.ex.com port 443: Connection timed out
                

                And in my pfsense log I have these denied connections :
                ade01a26-e695-4dee-b113-057cfd7ea859-image.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @Alek
                  last edited by

                  @Alek
                  So is the access allowed on the interface, where the PC is connected to?

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    Alek @viragomann
                    last edited by

                    @viragomann

                    Sorry didn't understand your question

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @Alek
                      last edited by

                      @Alek
                      ❔
                      Show the VLAN50 rule set, please.

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        Alek @viragomann
                        last edited by

                        @viragomann
                        The Debian VM is on Vlan DMZ :
                        The 3rd rule is disabled, I created it to test.
                        If enabled I can curl the webapp but using internal IP...

                        3747bd4a-3bd4-4f63-8d35-eaf352abe81d-image.png

                        The webapp is on Vlan 66 aka Untrusted :

                        574d4041-2627-449c-b5b2-5c52ec835058-image.png

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @Alek
                          last edited by

                          @Alek said in Host override & NAT:

                          If enabled I can curl the webapp but using internal IP...

                          And what's the drawback of that?
                          As already mentioned, if the web application provides the proper SSL certificate for the requested host name, the browser should be happy and load the page, no matter if the resolved IP is public or private.

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            Alek @viragomann
                            last edited by

                            @viragomann
                            I'm trying to do a complete VLAN isolation, no internal traffic allowed.

                            And, FIDO type keys don't work when I pass by internal IP while they do if I pass by WAN.

                            V 1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @Alek
                              last edited by

                              @Alek said in Host override & NAT:

                              I'm trying to do a complete VLAN isolation, no internal traffic allowed.

                              That makes no sense. If allow client device access to a server it's pretty the same thing if it uses the internal or the public IP.

                              And, FIDO type keys don't work when I pass by internal IP while they do if I pass by WAN.

                              Maybe it's bound to a certain IP, what ever...

                              So first step is to care that the host name resolves to the public IP. You said you did this already, but the recent screenshot shows, that is is resolving to the private one in fact.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.