Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out)
-
Sorry for lack of response to previous....
Once you had commented that something was messed up, I decided to do a clean (re-)install from 2.7.2 img and hopefully stop wasting your time and mine.All I have done so far is:
- changed LAN IP and GUI port
- In advanced, I have added Alternative hostnames of pfsense.home.arpa and pfsense.mydomain.me
- Installed ACME
- DNS resolver is enabled
- DNS Override: pfsense home.arpa 10.1.10.10
- No custom Firewall rules yet/ No NAT entries except Standard 2x WAN Auto rules
Current NSLOOKUP response (still returns server as IP only)
pfsense.home.arpa -type=ptr
Server: 10.1.10.10
Address: 10.1.10.10#53Name: pfsense.home.arpa
Address: 10.1.10.10I know this is not an interactive tutorial, but... before I attempt creating SSL cert with ACME/LE is there anything in particular I should setup?
Just to CONFIRM.... are the following assumptions and outcomes correct:
- Change default pfsense.home.arpa hostname to pfsense.mydomain.me
- Assume mydomain.me is held at external registrar
- Create CNAME record pfsense.mydomain.me at external registrar where domain is held.
- Do not assign a public IP A record to mydomain.me (or should I say not necessary if external access not required)
- Create an ACME/LE certificate for pfsense.mydomain.me.
- Configure new certificate under: System | Advanced | Admin Access | SSL/TLS certificate
I should then be able access from the LAN: pfsense.mydomain.me, despite not having a public IP in an A record.
Thank you for your time and attention to this issue.
Basic Architecture FYI:
-
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
DNS Override: pfsense home.arpa 10.1.10.10
it wouldn't be DNS override - it would be HOST override..
Any host override would provide a PTR..
What actual nslookup are you using - does it not do a ptr for the IP your set to your dns? windows nslookup always do this - but maybe your linux client doesn't?
That could be red herring.. What you should be able to do is do a query for your host override does it return your IP you set, does it do a ptr when you query for it?
-
Is this modern networking or just plain wrong :
-
@Gertjan hahaha - I took that is he was just rying to obfuscate his actual IP space.. if rfc1918 never understand that.. but prob something like rfc1918.10.10/24 and rfc1918.20.10/24 for his other interface.. And was just wanting to show he has multiple networks.. Sure hope that switch is vlan capable and setup correctly.
-
I have replicated all the same steps and seem to get the same responses except for the very first one where the nslookup server is IP not domain.
Here is where server is IP only
Using same dummy Host override (IP is not in the LAN range)
dig on "any" host override.
Right - I never did answer that question, sorry about that. I am using NSLOOKUP in interactive mode via Terminal on MAC OSX v12
I believe the above screenshots answer the final questions:
@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
query for your host override does it return your IP you set
The "any" Host override is returned from dig pfsense.mydomain.me as 10.1.10.1 (not a valid LAN address - proving it came from override settings)
@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
does it do a ptr when you query for it?
dig -x 10.1.10.1 returns PTR pfsense.mydomain.me
And now for the embarrassing answers:
YOU: it wouldn't be DNS override - it would be HOST override..
ME: My bad. Wrong terminology.@Gertjan said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
Is this modern networking or just plain wrong :
There's two parts to this:
- Yes it was kind of obfuscation, but more so trying to simplify the diag; as I'd previously disclosed the first half anyway. Admittedly never added the /24.
- The second part is my true moment of stupidity. Two LAN connections going to the same switch. (In my part defense I only had DHCP on LAN, and I manually set my my client IP to match LAN not OPT1 and there were no other clients on either LAN interface yet.) Haven't got into VLANs yet, so the stupidity would have kicked in had I proceeded with trying to get that to work. Thanks @Gertjan for bringing this to the surface.
Revised diag. ;)
-
@phantom99 well it seems your nslookup just isn't doing a ptr for the IP you have set, but that is something on the nslookup client..
I rarely use nslookup to be honest, I am a dig guy.. but many windows machines I might be on don't have dig installed, like my personal machines. And they always do a ptr out of the gate.
So that was just red herring it seems, my bad - but clearly your A and PTR queries are returning your setting for that record - so what is not working exactly?
-
I can't seem to address pfsense machine using FQDN or Hostname, only IP.
Mainly, I wanted to be able to establish a secure connection by using a FQDN/SSL connection without browser warnings.
Despite having established a cert with ACME/LE I can't address with a cert/FQDN.The SSL cert almost seem to become secondary to the problem that I can only address pfsense with IP address and not by hostname (or FQDN).
(Hope of stated all this clearly and correctly.)
I keep thinking I am missing something really basic.
Am I right in thinking I need to get hostname addressing working and then subsequently create a cert to enable SSL/FQDN?
-
@phantom99 and that screams your browser is not using your dns, ie its using doh.. Because clearly your OS just doing a query for that resomves it to the ip
So from you cmd line on your os when you do a ping pfsense.home.arpa it comes back with that IP right.
-
@johnpoz Yup.
phantom@MAC-client ~ % ping pfsense.home.arpa
PING pfsense.home.arpa (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=64 time=0.431 ms
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.580 msAnd yet...
Through DHCP: DNS server is set to LAN
Search domain: home.arpa
********** STOP PRESS ***************
You have solved this!!OM*G - After a clean install, I somehow knew there was something basic at the heart of this. Of course it takes knowledge and expertise to narrow down on where the issue might lie.
And that is what you have done.
On top of that, you have had the patience and grace to stick this out and not fob me off, whilst undoubtedly doing the same for many others.
I am most grateful.I now can access (firstly using hostname), and now also FQDN.
Without security warnigns of course. ;)I suspect there was something else I had clutzed that started this entire thread....prior to the clean re-build , but again it was your help that guided me to the right place.
After your definitive statement that it was Browser not using pfsense DNS, I found I could access using hostname on others browsers - Safari, Chrome, but had been using Brave. Somehwere down the line I suspect I had followed a tip on Privacy of DNS searches and changed Braves security/DNS settings to use OpenDNS. (Embarrassed. )
For completeness I am posting the Brave setting.
Thanks again, @johnpoz you are a legend and DNS God. <Nows, tips hat and swirls hand in a manner fit to introduce a King>Finally, I hope this is not considered a waste of your time. You have taught me quite a bit along the way
-
@phantom99 just glad you got it sorted.. I could talk for hours and hours about dns ;)