what do i need to setup to direct different domain names to IPs on my network

comet424

@viragomann
ill have to get back to you on all those some kinda confuse me.. im a visual learner not as much a reader.

but to try to answer your questions about my things
the Websites i have never been able to access all of them from the localhost just it always picked the first one
so my webserver is 192.168.0.30
now it runs windows server running IIS and i have
www.test.com
www.test2.com
www.test3.com
as examples..
so in the past i was able to Port Forward my 80 to the 192.168.0.30 and then Windows determined which website it works..
if i do on my local network 192.168.0.30 she will pick the first website running so that works
if i try <wan ip address>:80 doesnt connect
it used to work in the past but when i alter something i never thought of checking my webservers if still working.. so thats why maybe i checked off a box i shouldnt have reason why the port forwarding or the haproxy isnt working.. probably when i set up the vpn i not totaly sure..

with the 192.168.0.3:3000 yes works on the internal network goes right to the page... but doing <Wan ipaddress>:3000 doesnt work even through cell on a cell internet not the wifi

ah ok so pfsense doesnt offer like unraid a anonoymous diagnostic logs where it hides all the important data but exports data so other users can help you fix it.. but doesnt show any passwords etc..

so ill have to learn that packet capture.. etc.. i dont use the pfsense every day i use it because it had features i needed that my asus router didnt have.. so pfsense did what i needed.. so i not smart at it and i set it up and forget it.. not one that access's every day like all these professionals.. do like this program.. but sometimes its over my head at times least with a learning disiability and certain words i dont understand but then again i not working with this everyday

but enough of my issues you dont wanna hear..

what screen shots do you need to see that could be causing the port forwarding issues or the haproxy issue.. i googled and it linked me to
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging.

i tried checking each one but some didnt apply and i think i checked them all and that didnt apply to fix my issues ..

but ya if you can tell me what screen shots you specificy need to see my mistakes.. so i can get things up and running again

and i appreciate you taking the time in helping me.. i very appreciative

comet424

@viragomann so i been fiddling no luck.. what screen shots would you need?
also i noticed i get an error if i type my www.example.com
i get error
503 Service Unavailable
No server is available to handle this request.

but if i type 192.168.0.30 (webserver) it works just fine picks off the first website in the list of 5... so is pfsense blocking it.. i tried to google it but i not finding what i need.. and still havent gotted the www.example.com:3000 to or the haproxy to work yet something is blocking it in here

comet424

@viragomann so here are some screen shots of my rules and nat
what other settings would you need to see to see whats wrong ![nat portforward.PNG](

comet424

i did a packet capture..
clicked Stop
enterd host 192.168.0.30 (webserver)
entered port 80

and click Start
tried going to my one website... and just got page cant be found really.. i stopped the capture
to view but shows up blank

viragomann

Still not clear, what you're trying to implement now, port forwarding or the haproxy? Please, declare at first.
There is no way to help if I don't know what you're trying to achieve.
If you can go with accessing the Rocketchat on port 3000 I'd do portforwarding, since it is easier to realize.

Also give some details about you network.
The LAN is 192.168.0.0/24?

comet424

Both...
sorry explaining wrong.. i gave up on HAproxy.. because i said Port Forwarding no longer works and asked whats setup wrong..
because i mentioned my VPN, outside of the VPN, i mention my Webservers no longer work. i mentioned trying to use the HAProxy i get 503 error..
but ill try again

1st i wanted port 3000 to work but like i mentioned Port Forwarding is broken.. I send you link of the like 13 steps to follow to fix Port Forwarding.. non help and most didnt apply to me.. so reason you said you need settings,, reason i sent the photos of my Rules and Nats to see where its set wrong..

2nd.. Port Forwarding is broken for Port 80 its like being blocked or so

3rd That Packet Capture doesn work shows up blank

4th
my network i mentioned above but is
192.168.0.1-30 (VPN)
192.168.0.31-49 (WAN)
192.168.0.50-255 (VPN)
192.168.10.x (Camera network) (not setup yet)
192.168.20.x (Guest Network) (n0t setup yet)

but overall like i mentioned from trying to get rocketchat to work.. Port Forwarding no longer works for Windows Server for Port 80 and i trying to get Port 80 to forward to 192.168.0.30....
i dont know what is blocking it

i have also changed in dhcp server
so 192.168.0.30 no longer uses the DNS servers of my vpn but just 192.168.0.1 for my Webserver
i removed the DHCP of everyone from my VPN servers to 192.168.0.3

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots
Port Forward 80 goes to 192.168.0.30 and on the Same screen shot you see i have it setup Port Forward 3000 goes to 191.168.0.3.. And neither is work. Port forwarding is broken and i been googling past week trying to watch videos etc.. what is checked off/on that broke port forwarding.. or if because i have a VPN

so i just dont know where to look anymore i keep trying a setting see if it works or not..

Rocket Chat Works Local Network Not WAN
Webserver Works Local Network Not WAN

i mentioned i followed
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging

and these did not help me.. reason i said i must have something configured wrong that is conflicting nd broke port forward

im gonna try later today a fresh clean install of pfsense setup the port forward 80 and 3000 and using fresh install to see if it works.. as i no longer know where to look so i hoping that will fix things

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

Both...

You cannot do both.
If you want to run haproxy, you have to disable the portforwarding and set or edit your WAN rules to allow the access.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

i mentioned trying to use the HAProxy i get 503 error..

No. You mentioned the error, but not that it happened with haproxy.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

I send you link of the like 13 steps to follow to fix Port Forwarding..

?

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

2nd.. Port Forwarding is broken for Port 80 its like being blocked or so

So you may troubleshoot it or not?

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

3rd That Packet Capture doesn work shows up blank

Without an info to the interface the capture was taken that statement is useless.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots

Your screenshots don't show any portfrowarding.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

Port Forward 80 goes to 192.168.0.30 and on the Same screen shot you see i have it setup Port Forward 3000 goes to 191.168.0.3.

These are firewall rules!

Portforwarding is done in Firewall > NAT > Port forward.

comet424

1.. some reason the the forum lost the picture.. Portforward was uploaded with OutBound NAT but ill add it to the end

2. when i said both.. I was stating i try to get both to work... i dont need to run both same time. but HAproxy is non functional. Port Forward is non functional is what i ment... i need the Port Forarding of Port 80 up and running my websites been down apparently months
   .
3. the 503 error figured you knew was from the HAproxy.. as that error doesnt show up if you dont have haproxy setup.. figured you probably altready knew it.. as i trying to try all settings turning things on and off ...

4, you did the "?" for the 13 steps i said i did and i send you the link.. but its 15 steps. here it is again
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging

5,, yes i been trying to trouble Shoot Port 80 for a week since your last reply.. still no luck.. from a cell or remote computer can not Forward Port 80 for my webserver.. interal IP still works external doesnt.. i was able to get traffic to finally show up on the WAN firewall rule not sure what fix got it to do it.. but it still cant process the website.. I did get rocket chat to work 20 min ago kinda outside of the network.. it finally showed up saying Rocket chat.. but firefox keeps saying "gah tab crashed" so i not sure if its truly working or not....

6. Capture Pack.. not sure what you mean the info to the interface.. default is WAN i entered the IP and port but the START and STOP didnt record anything

here is the screen shot of Capture Packet and the NAT Forwarding that was uploaded other day

sorry if i lousy explainer.. sounds all clear when i write it..

viragomann

Ok, so let's go with port forwarding.
And try to troubleshoot one by one.
For your webserver you have a mistake in the port forwarding rule. The destination has to be WAN address.

You say, you are able to acces the webserver from internal network by simply entering 192.168.0.30 in a webbrowser. Does it also work from another subnet?

Is so try to access it from the internet by entering your WAN address into the browser.
If that doesn't work, take a packet capture on WAN and only filter the port 80. In the screenshot you have filtered for the internal IP, so it's normal that you don't see any packet.

comet424

ah ok . so change the LAN address to WAN Address? how come i thought i needed to port forward to LAN address of 192.168.0.30.. it used to be WAN orginally but since i been trying to trouble shoot and figure where things when wrong...

i have not tried another subnet.. only because Guestnetwork and Cameras is setup for future when i get guests and cameras
but i have a dedicated OpenVPN connection to my sisters house her ip is 192.168.1.x i setup
if i type in a FireFox on that network and type 192.168.0.30 websserver .. i get a 404 error.. doing 192.168.0.3:3000 gets me the rocketchat website on my network

if i try accessing my webserver address from my local network (192.168.0.x).. so www.example.com i get this error
"Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname." keeps loading up the pfsense doesnt want to goto webserver

so hope that helps so far. in finding my mistakes

if i do www.example.com on my 192.168.1.x firefox i seem to get the website to work.. but not by IP address i also decided to reinstall a new VM of windows and post my websites on tehre so i only have 1 website out of my 5 setup.. just to test if maybe was my vm that failed.. as i dont know why things went wrong.. plus you never know right its windows always needs updating lol

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

if i type in a FireFox on that network and type 192.168.0.30 websserver .. i get a 404 error.. doing 192.168.0.3:3000 gets me the rocketchat website on my network

So you know, both server are responing to access from outsider your LAN.

If you want to access your websites by their hostnames from within your network you should either

• set up DNS overrides or
• configure DNS reflection

DNS override is the more reliable solution. Assuming pfSense provides DNS in your network and you run DNS Resolver, go to the Resolver settings and add the needed overrides there.

comet424

i guess i have pfsense doing DNS?

i set like the webserver use 192.168.0.1 as the DNS
i set WAN's DNS to either 192.168.0.1 or the 1.1.1.1 ad 1.0.0.1 apparently they advertise in videos etc to change your dns to 1.1.1.1 its faster
and on my DHCP behind my NordVPN i set the DNS to the 2 servers they offer but then i changed it to 192.168.0.1 as the 2 dns servers i also have in the General Setup.. so which setups should i keep ... could any of that be conflicting.. as i never really checked everything after each change i did... and does the DNS override dns reflection cause the behind VPN to leak... as i plan to add cameras on my network and be behind the VPN and dont want the cameras to leak out that could be caught by hackers

ill take a look at it this afternoon.. and try the overide or the dns reflection

oh and yes i run DNS Resolver in my network but my outgoing NEtwork connections are my VPN if i add it to WAN then it leaks my dns, so no longer secure.. under the dnsleaktest and ipleak... in the orrides do you know what i need to add.. i not at hope to check it right now..

and thank you for the help so far.. i appreciate it.. as i been banging my head why nothing working right... must been when i had to readd my vpn as websites and port forward worked when i didnt setup a VPN

oh and does it matter i have 2 vpns .. 1 is for the network a subscription and the other is openvpn i have connected from my house to my sisters house to connect her pfsense with my pfsense... constant connecton would any of that conflict too

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

on my DHCP behind my NordVPN i set the DNS to the 2 servers they offer but then i changed it to 192.168.0.1 as the 2 dns servers i also have in the General Setup.. so which setups should i keep ... could any of that be conflicting.

No, the DNS client tries the first in the list, if that one doesn't response it tries the next and so on.
So if 1.1.1.1 is the first entry, another one is only requested if this fails.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

and does the DNS override dns reflection cause the behind VPN to leak.

No.
DNS leak means that DNS requests are sent out to the WAN gateway while other traffic is directed over a VPN.
That can be prohibited by set the Resolver to use the VPN connection for requests as you did already.

DNS override means that pfSense resolves the overridden hostnames itself. Requests for these hostnames are never sent out.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

oh and does it matter i have 2 vpns .. 1 is for the network a subscription and the other is openvpn i have connected from my house to my sisters house to connect her pfsense with my pfsense... constant connecton would any of that conflict too

No. I guess your sister doesn't use your DNS server.

comet424

i didnt get really get to test it yet as my sisters internet went down
but i did setup Host Override and did www.example.com 192.168.0.30@80
and same for the @3000
my question is how come the port forward doesnt normally work like it used to but need to add this.. is it because i have a VPN setup? and not just the basic WAN

2.. so if 1.1.1.1 if is in my first entry what i ment is what should the network properly be configured for... should the proper way be 1.1.1.1 or should it be using 192.168.0.1 as the DNS... the only reason i left the 192.168.0.1 is i seen how cloudflare and Linus Tech tips said switch to 1.1.1.1 you will find your internet to speed up better as my internet only 5mbps download/500k upload.. so i tried to maximize it completely
so i have mix of 192.168.0.1, blank, 1.1.1.1, and 103. as i was experimenting but never knew which one to keep and wasnt sure if anything leaks as i had to figure that one out i was having leaking issues

2nd the resolver can you explain it better for me the dumb guy.. when you say "that it can be prohibited by set the resolver to use VPN connected .." like i know from NordVPN you need to Select Out Going network as VPN ones and when i played with adding WAN in the past to try to get my websites to work as i wanted WAN connection to handle it like it did before i setup a VPN.. thats when i found it was leaking DNS..

so does the Host Override mean that when Outgoing Network is set to your VPN... the host override handles domain names to go over the WAN connection to the designated ip on the network.. like its own secret Passcode backdoor... sorry if i confused things up sounds ok in my head . i mean like override means that it allows access when the Outhgoing Network is set to VPN and not WAN

ya my sisters dns is her own.. 192.168.1.x i only have a Open VPN connection between her and i.. and use the same VPN subscription and i do the remote maintance as she lives 2.5 hours away from me.. so i keep it open to fix etc

thank you for help so far.. and ill see if the host override will work once her internet is back as she been experiencing issues

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but i did setup Host Override and did www.example.com 192.168.0.30@80
and same for the @3000

You cannot do a host override with ports. You can only enter a hostname and an IP. So here you can enter "www" into the host box, "example.com" at Domain and 192.168.0.30 at IP address.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

my question is how come the port forward doesnt normally work like it used to but need to add this.. is it because i have a VPN setup? and not just the basic WAN

Seems you're messing up DNS and Port forwarding (NAT). This are completly different things.

The port forwarding doesn't need this entries. As stated above, when you forward your WAN address to 192.168.0.30, you're able to access your webserver from the internet.

For accessing it by using its hostname like www.example.com, you use a DynDNS service. However, this resolves the hostname to your WAN address, but since your port forwarding is set on the WAN interface, you are not able to access it from inside. Best way to get it work when using an internal DNS (resolver) is to set up a host override for that name, the same host name you use from the internet.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

2.. so if 1.1.1.1 if is in my first entry what i ment is what should the network properly be configured for...

Which network? Your internal devices should use pfSense for DNS requests. What you setup in pfSense itselft in System > General Setup is on you. The pfSense IP is useless here at all.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

the only reason i left the 192.168.0.1 is i seen how cloudflare and Linus Tech tips said switch to 1.1.1.1 you will find your internet to speed up better

1.1.1.1 is Cloudflare. And who is Linus Tech...?

In the DNS Resolver settings at "Outgoing Network Interfaces" you just can select the interface which the Resolver sends requests on his part. E.g. if a client in your LAN asks for www.yahoo.com and the corresponding IP isn't in its cache, it has to request another server for that, the server, you have set in the General settings. If you have only the VPN selected at "Outgoing Network Interfaces", pfSense tries to access the DNS server over the VPN. If you also have WAN selected the request may go out to WAN interface.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

so does the Host Override mean that when Outgoing Network is set to your VPN...

Requests for hostnames wich are matching an override are never sent out, but responded by the Resolver using the IP stated in the override. Read the hints on the configureation tab:

Any lookup attempt for the host will automatically return the given IP address, and the usual lookup server for the domain will not be queried for the host's records.

So that has nothing to do with the VPN.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

i mean like override means that it allows access when the Outhgoing Network is set to VPN and not WAN

Host overrides allow nothing. You just can cotroll which IP the Resolver provide to the clients when requesting the meant host.

comet424

@viragomann ah ok so i got more questions.. i appreciate your responses it also helps your explations too you explain it like a DOS for Dummies those books.. i appreciate it..

couple things i miss wrote
i didnt setup host override i did the domain override is what i ment.. when i read both of them and reading it seemed to me in my head.. that domain override means.. when Incoming dyns names the www.example.com that it redirects to a Specfic IP address and port. reason i menioned i had to type in 192.168.0.3@3000 and 192.168.0.30@80

now im problem wrong but this is how i thought that works.. When you setup Pfsense no vpn just plain.. Regular Port Forwarding Works www.example.com in port forward 80 and it goes to 192.168.0.30 and it works fine.. But adding the VPN it mess's it all up and seems when i added the domain override 192.168.0.30@80 to www.example.com it seems to forward to that.. is that how im understanding.. no vpn Port Forwarding works fine.. with added VPN i needed the domain override.. which seems to get the 1 website working by www.exmplecom
least thats how i thought it works

2nd.. i guess i explained wrong.. when i do the 192.168.0.30 goes to the defautl website from my sisters network 192.168.1.x (which i access with OPEN vpn connection to her pfsense)

if i type my WAN IP address on my local network it does nothing page cant be found
if i type my WAN IP:3000 on my local network page cant be found

if i type my WAN IP:3000 on my sisters network (192.168.1.x on FireFox Docker) it can find it but then tells me Tabs has crashed.. but its getting there
if i type www.example.com on my sisters network (on the Fire Fox Docker) it connects to the website
if i type WAN IP on my sisters network (on the firefox docker) page cant be found

i know i missed something but now i gettin confused on my testing.. some is working some isnt it seems

so the DNS Resolver so when you set it up its only specific for the VPN then? i guess when i linked outgoing WAN VPN connections reason it leaked as what was supposed to be only VPN traffic was going on the WAN
so my question is then.. how does it work if you want WAN Resolver and a VPN Resolver.. like with the DHCP if you have virtual IP i can have LAN and OPT(Virtual Network) under DHCP Servers..
is there an option for DNS Resolver.. 1 for VPN (so you can select just the VPN outgoing connection ) and another for IPS on the WAN so that the Outgoing Network is WAN is that an option or no..

it popped in my head and i figured id ask..

i really like the pfsense just takes alot to learn lot better then my Asus DLink routers an and way better then years ago MS Wingate,Sygate for routing internet on the network back in the date

i appreciate all you done so far.. i hope you can understand what i write.. with my dislexia it always sounds right when i write it.. But people sometimes dont understand or i mix up words like the host override and domain override.. and my dislexia is bad i will read the word "mother" and it comes out as "hi there" complety messed up.. all cuz i was born with cancer, and radiation on brain so it make things hard to explain sometimes.. so i like to thank you for helping and taking the time to help me and try to understand.. very appreciatiated

and if i missed something to explain etc.. just ask.. as i know i probably didnt explain something right (:

viragomann

Domain overrides are for forwarding DNS requests for a whole domain to a specific DNS server. That isn't what you need.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

if i type my WAN IP address on my local network it does nothing page cant be found
if i type my WAN IP:3000 on my local network page cant be found

I mentioned above that that won't work. Therefor are host overrides.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

if i type my WAN IP:3000 on my sisters network (192.168.1.x on FireFox Docker) it can find it but then tells me Tabs has crashed..

Possibly a failure in the browser. Try another one. Just take a smartphone, shutdown Wifi and try to access your services.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

if i type WAN IP on my sisters network (on the firefox docker) page cant be found

Error 404? That is the default behavior if the is no default website defined on the server. However the error response is coming from the webserver.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

is there an option for DNS Resolver.. 1 for VPN (so you can select just the VPN outgoing connection ) and another for IPS on the WAN so that the Outgoing Network is WAN is that an option or no..

There is only one unique DNS Resolver on pfSense.
And with "Outgoing networks" you can tell the resolver how to go out for upstream requests. If you have only VPN selected, all request go over the VPN.
If you want to be able to resolve even when the VPN is down, select WAN additinally and set the first DNS server in the General settings to go out to VPN.
That's it.

comet424

@viragomann
ah ok i kinda think i understand..
so WAN IP on my local network doesnt work.. ok

i cant test another browers on my sisters network Unraid doesnt offer another Doctor just firefox and that unraid the computer cant support VMs... but ill try my cell phone good thing i still have some data as internet on a cell phone is too expensive in canada.. so i stick with DSL... but ill try

sooo not use domain but use the Host override... ill try that... and host override takes the dns name and makes sure it goes to that IP address right?

ugh i cant post my reply i cant figure what this damn Spam is in my reply that is flaged as spam in my explaination ugh.. so i cant explain anything i got along comment message questions
but i cant post it..
and here was my settings