LAN to webserver on same subnet really slow
-
Thank you steve, I have removed the host overides, how long does it usually take for the new config to take effect? as I'm still unable to access the websites internally and externally. it seems the only setting that did work was the NAT + Proxy, I'm not sure why, I also haven't downloaded any additional packages for pfsense either, maybe there might be something I have not configured properly. any other suggestions?
-
It was my mistake, I was getting confused with my url's, it is all working now and a lot quicker than before, all your instructions helped with resolving my issue, Thank you very much Steve.
-
@ajackson86 said in LAN to webserver on same subnet really slow:
That's correct, the domain names are being resolved to my public I.P's,
Not what I asked at all.. I ask where your client points to for dns..
From what you have posted - seems like your using nat reflection vs doing in the correct way and using split dns.. But you know the wrong way is better than performance any day of the week ;)
Why not bounce local traffic through my firewall via a hairpin.. Makes perfect sesnse to do it that way ;)
Hmm want to go to the bathroom... Let me walk through the house out onto the front porch, then back in vs just going straight to the bathroom... Way more efficient that way ;) Might make sense if your wanting to hit your 10k step goal via your fitbit, but packets don't need steps ;)
-
I thought I answered your question:) I purchased a domain name from names.co.uk, I have Static I.P's assigned by my ISP and have assigned those static I.P's to my domain names in names.co.uk, those domains point to the 2 webservers I have behind the pfsense box.
Thinking about it now, if you're talking about the dns servers, they are provided by my ISP.
Using NAT reflection is helping and it is a whole lot faster than what it was before, but I would still like to learn the proper way, I understand what you're saying completely, it really doesn't make sense for the internal traffic to go out and come back in again just so I can reach my servers, but it is working a whole lot better than what it was when I tried to set it up myself.
Could you perhaps enlighten me as to what the proper way it please then I could apply those settings instead? I'm still a newbie with regards to all of this:)
-
Yes, split DNS is far more efficient for traffic flow. NAT reflection is usually easier.
But you can enable NAT reflection and add split DNS so that clients who use public DNS or other URLs that point to the same server fall back to NAT reflection.
Of course if it's working fine for you as it is.....
Steve
-
Thank you Steve, how would I go about adding split DNS? I'm not familiar with that term.
-
Using host overrides exactly as you were trying:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html?highlight=reflection#method-2-split-dns -
Lets asks a basic question first.. Where do your clients point for dns?? If your clients directly point to some outside dns.. Then you can not use split dns..
So for the 3rd time going to ask the very basic question - where do you your clients point.. You stated you do not use local dns..
there are no onsite dns servers.
But this is not true if you have pfsense.. Unless you specifically do not point dns for your computers, laptops, devices, etc.. to it for dns.. Out of the box the dhcp server of pfsense will point clients to pfsense IP for dns, and then resolve for external fqdn.
On a windows machine do a ipconfig /all - where does it show you pointing for dns?
$ ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : I5-Win Primary Dns Suffix . . . . . . . : local.lan Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller Physical Address. . . . . . . . . : 00-13-3B-2F-67-63 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : EnabledSee where is says DNS Servers... Where do your clients point?? If they are not pointing to pfsense or some other local dns - then you can not do split dns.
-
@johnpoz
I understand now, the clients on the network all point to pfsense for dns, apologies I misunderstood the question. -
Ok then for split dns - all you have to do is create a host override in the dns your using either unbound (resolver) which is the default. Or if you are using dnsmasq (forwarder) then you would make the overrides there.
For the fqdn you want to resolve.. www.domain.tld, pointing to the IP address of the local server your httpd is running on - 192.168.1.100 for example.
There you go done.. As long as your browser isn't using doh and not using your local dns.
-
Thank you both for all your help, I'll make the changes now.
Do I keep all the other settings in place?
-
Yes you can keep the other settings in place. That way if you have clients that are not using pfSense, for DNS for whatever reason, they will still be able to hit the servers using the url.
Steve
