Problem accessing internal webservers via external addresses
-
I have a bunch of webservers (6 to be precise) for my automation that I need to access in an easy way. Which is why I have DynDNS hosts for them. So for instance if I type www.automation.com (of course it's not the real address...) I get to 192.168.1.20:1234 (which is the IP for the pc connected to the switch from pfSense that runs all those machines, on different ports). And if I type www.automation2.com I get to 192.168.1.20:1235 (so another port, which means another webserver). I have NAT'ed all the ports, and it works flawlessly from outside (tested on my phone).
What doesn't work is doing it from inside, not on my main net 192.168.1.x and not on the subnet for my rental flat, 10.10.11.x. I tried setting up NAT reflection, but that doesn't help. Can somebody please tell me what I'm doing wrong?
Oh, I can't use split DNS because half of those webservers are webhops, so if I go to www.automation3.com it will go to www.automation.2.com:1235 I have to do it this way because of the way one of the programs I use is set up.
-
@mastiff said in Problem accessing internal webservers via external addresses:
So for instance if I type www.automation.com (of course it’s not the real address…) I get to 192.168.1.20:1234
No you don't dns has zero to do with some port.. Resolving www.automation.com would not return :1234 it would return your IP.. But if you have public dns returning rfc1918 address space 192.168.1.20 then its borked before you even get started.
So your doing webhob on your dyn services.. Why not just run reverse proxy on pfsense sense so you do not have to use all these ports.
So now www.automation.com returns your public IP on the internet. So you hit say 1.2.3.4 on port 80 or 443 the standard ports. Same when you resolve www.automation2.com it also returns 1.2.3.4 your public IP.
Now your reverse proxy on pfsense says oh you want automation.com that gets sent to 10.10.11.x, oh you want to go to automation2.com you go to 10.10.11.y
From internal you just resolve automation and automation2 to their actual rfc1918 addresses 10.10.11.x and .y or all the same box if they are doing virtual domains served up on the same machine via host headers.
-
Sorry, but you're wrong (at least the way I use it). Webhop can be set up to work like this:
Client out: www.automation3.com (no port, so 80) --> DynDNS out: (my external IP from the ISP associated with www.automation.com) :1234 --> pfSense out: 192.168.1.20:1234
So www.automation.com is the catch-all address for those servers, and the webhops control which port on my external IP this is sendt to. So I can't use DNSMasq or similar because that's not able to do the port magic, as far as I know. Or can it do this:
Client out: www.automation3.com (no port, so 80) --> pfSense out: 192.168.1.20:1234
-
I know exactly what a webhop is - my point is not the correct way to do it.. But if you happy with it - have fun and good luck ;)
-
@mastiff
Have you tried NAT reflection in "NAT + proxy mode"? -
OK, sorry. You know what a webhop is. But is it possible in your way to do it the way I need it? I HAVE to be able to write in just www.automation3.com for it to be like this:
Client out: www.automation3.com (no port, so 80) --> pfSense out: 192.168.1.20:1234
I would love it to work only on the pfSense and keep it internal, believe me. I just didn't think it worked in that way. And if it doesn't, can you please tell me how to do a simple "loopback" (i know that's not the correct word, but I don't know the correct terminology) so that when I write www.something-associated-with-my-dyndnds.com it goes to dyndns and then comes back into the pfSense?
Viragomann (riding a Honda Blackbird myself, but my son's into cruisers), I haven't. Can that change the ports?
-
@mastiff
It doesn't change the ports, but it makes responses go back the same way as requests. -
Viragoman, it either chews forever (with a port number) or goes to the pfSense dashboard (without a port number).
-
Yes the correct way to do this you never have to worry about ports.. Using the reverse proxy on your wan you can send whatever fqdn to whatever httpd behind pfsense you want - all on 80 or 443. You setup your local to just use the name and go to the the local IP that site is being hosted on via its fqdn.
-
I am afraid that either I don't understand you or you don't understand my needs. So let me explain, to be sure: There are four different webservers on the same computer (VM, really, but that doesn't matter, it worked before pfSense, when I was using M0n0wall and an Asus router for what is now a pfSense box). That means that they need to be on four different ports. I have one on the standard 80 port, and the three others on non-standard ports (so 1234, 1235 and 1236 as an example).
With DynDNS webhop I can go from the internet to the three nonstandard port webservers without using the port, because the webhop translates www.automation3.com to www.automation.com:1234 (so without the 3, but with the port). And it is absolutely necessary that this translation happens.
On the pfSense box, the addresses www.automation.com, www.automation.com:1234, www.automation.com:1235 and www.automation.com:1236 are sendt to the same VM, with the ports intact. So when they arrive at the VM they will go to the correct webserver on that VM.
When I do this from outside, it works. I just found out that for some reason it works on my secondary subnet as well (which goes to the rental flat), but it doesn't work on the subnet where the VM is. On that subnet the webserver with the standard HTTP port is turned into https and goes to the pfSense web interface, and any of the other webservers times out.
Was that enough of an explanation, so maybe you can see if I am misunderstanding you or you are misunderstanding me?
-
@mastiff said in Problem accessing internal webservers via external addresses:
That means that they need to be on four different ports.
No they do not... I can run hundreds of domains o the same IP via host headers or virtual domains depends on what httpd your using what they call them. IIS calls them host headers while apache calls them virtualhosts.
https://httpd.apache.org/docs/2.4/vhosts/examples.html
Since the box is on rfc1918 you could also have all your different sites be on different IPs.
You use the reverse proxy on pfsense to understand the fqdn to know where to send the traffic in vs just simple port forward..
Here take a look
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wikiYou could also do it with the squid proxy as well.
-
But you are not using the Girder and EventGhost home automation webserver to run your domains on. I have for 10 years. :) Just trust me, they need to be on different ports for this stuff. And as I said, it works on the opt1/other subnet, the ping-pong to DynDNS and back just doesn't work on the same subnet as the VM with the webservers are on. Can you think of a reason why that is? I have used rules to exclude the optional subnet from accessing the pfSense interface, can that be the reason?
-
That you would open home automation anything to the public internet is nuts if you ask me. That it has to run on nonstandard ports is also nuts.
You stated they are running on VM.. Then setup 6 vms and give them different rfc1918 IPs. So you do not have to deal with nonsense of webhops.
or just use the uri with the port included.. And setup your nat reflections with the ports your using. Sounds like your trying to skin the cat with a dull rusty spoon vs a butcher knife..
-
I could give you the ip, and you couldn't get in. There are no known vulnerabilities (the webservers only does two things, and that is show a webpage to give commands and info), so it's virtually impossible to do anything without the correct username and password. So there's no danger. And I can't connect the physical hardware to more than one VM at the time, so I can't use more than one VM. Of course I could spend around 2000 dollars to get six of each of the hardware, but that would just be dumb.
Seriously, I am fully aware that you know a LOT more than me about pfSense and networking. But I have been doing home automation for many years (I checked, and my first setup was from 1998, it turns out). And my current system runs perfectly, as long as the traffic is forwarded as it should. I have been running version of this system for 4-5 years, and this is the first time I have this problem.
As I said, before I ran an Asus router that forwarded everything inbound to a M0n0wall firewall and split my subnet from the rental flat's subnet, and the M0n0wall sendt the stuff to the VM, with the ports. I never had any problems going from my home net with an address without a port to DynDNS, which changed the address and attached a port, and then back into the VM on my system. But I figured that I would leave M0n0wall (the father of pfSense) because it's too old, and I didn't need the Asus router when the pfSense could both split and forward. Or so I thought.
So again, any idea why I can do my pingpong from the rental flat's subnet, but not on the subnet where the VM is?
-
@mastiff said in Problem accessing internal webservers via external addresses:
but it doesn’t work on the subnet where the VM is. On that subnet the webserver with the standard HTTP port is turned into https and goes to the pfSense web interface, and any of the other webservers times out.
So configure the pfSense web GUI to listen on another port than 443, also uncheck "WebGUI redirect" and activate NAT reflection with proxy mode.
-
@mastiff said in Problem accessing internal webservers via external addresses:
There are no known vulnerabilities
Oh that is funny!!!
But yeah as viragomann stated your going to have to use nat reflection.. What non efficient way to so something... Here let me bounce all the way to some proxy running on the internet (webhop) so it can send my browser a redirect with the port on it. Then I can hit my actual public WAN ip on this port, to get reflected back into a box sitting on my network.. What a fantastic solution that is - vis just say using fqdn:port in your uri and having that fqdn resolve to your rfc1918 address local, and forward it on the public side.
So this runs on windows, and its latest release is from feb of 2016?
Latest release:EventGhost 0.4.1.r1722 [source], Feb 03 2016
-
For the avoidance of misunderstanding, in my opinion also the proxy solution is the better way to do that and offers more options in configuring the application servers. But Mastiff obviously want to get it work as it did for years before.
-
Many home routers nat reflect out of the box.. Anything that nat reflects is borked to be honest.. Nat reflection is just plain abomination if you ask me ;)
Pfsense does not nat reflect out of the box - you have to purposely tell it, hey pfsense I like to do things the F'd way - let me hit you on your wan, just so you can send me back into a box right next to me.. hehehehe
Here is my advice - if your thinking of nat reflection as a way of getting something work, your doing it wrong! ;) Back to the drawing board where you don't have to hairpin connections to get them to work.
-
Who runs on releases? The latest VERSION is 05.06.2018. And as far as I have heard nobody has managed to actually break in and do anything in the webservers of EventGhost and Girder when they didn't know the password and username. There's a difference betwenn no vulnerabilities and no KNOWN vulnerabilities. The known part means that there are nobody who has found it interesting enough to find whatever may be there. Also you need to know what IP and ports to attack, and what kind of program that's behind them too. Of course there are lots of vulnerabilities found in programs that they can actually make money on hacking! But who wants to spend the time hacking something which has few users and nothing of value to find.
And I have asked more than once in this thread how I can do it with proxys when I need to get to the ports I am using. I have said what I need to send out (a regular web adress without a port, so the standard port) and what has to get into the VM from pfSense (another web address, and with a non-standard port). If you could tell me how to do that, I'm all ears. But so far you've only told me how I should be doing it when it isn't possible to do it this way with my programs.
Oh, as for efficiency it doesn't matter. It's text and icons 64x64 pixels that's sendt, there is no discernable difference at all.
Viragomann, THANK YOU!!!! I had the NAT reflection with proxy mode set, but changing the port of the webgui and disabling the "WebGUI redirect" fixed it, and I'm up and running!
-
johnpoz, synchronized posting. Like sync swimming, but without the bathing suit. At least I'm not wearing one, I have no idea what you're wearing...
The thing is that I can only work my system this one way (a limitation in the programs, the webserver is just a tiny part of a what they do), and I don't want it to be visible to the end user. And that means no port in the URL. And the whole system has been built with so many hours, there is no way I'm changing programs to avoid something that may not be clean enough to you purists, but doesn't slow down anything.