Why is NAT Reflection not a good thing?
-
"The lawyers and hospitals that use this server demanded an EV certificate"
Sorry but I find that hard to believe they even know the difference between an DV and EV cert.. But sure ok those seem like the most technical kind of people that should demand IT standards ;) But sure they demanded something, and now your hacking it up to get it to work. Vs using different certs for different names??
" I cannot use IP's in the URL because the cert would be invalid."
Says who?? This is a simple SAN.. There is nothing saying that your cert can not be valid and GREEN via a IP.. Now your going to have a issue trying to do that with an EV cert and using any sort of rfc1918 address..
"All three software programs must use the same FQDN, thus run on the same server"
"The IP's must be different with each program because they communicate internally with each other via IP addresses within the same server."Yeah what software is this??? I am starting to guess that is not even setup correctly or optimal at all… Your saying its a requirement of the software that it use different IPs and they have to be the same box and use the same FQDN to access?? If you need to direct some software to a port via a name it would use a SRV record so you could do that. And it uses these IPs to talk to itself?? Huh?? Is this some home grown software??? Or an actual commercial product? So the user is actually calling up these 3 different urls in their browser so they can see this demanded by them EV cert??
-
NOYB said it best in another thread. I will stick with NAT Reflection since it works perfectly and so does the software.
-
dcol, your configuration is a bit unusual, which is probably why it confused all these kids telling you it was the wrong way to do it. But your reasoning is sound. I find it amazing that you presented them with some simple limitations like budget considerations and certification requirements that are out of your control and they just couldn't get why that should be important. Amazed but not surprised. I've been doing this for decades, in technologies they've never heard of, and it never ceases to amaze me when people with such a limited scope just can't understand there are things they don't know about. People that criticize your design without having the slightest idea about your problems are neophytes and should simply be ignored.
As to your configuration, I use NAT reflection right now and am looking for a way not to. In pfSense, I've had somewhat inexplicable problems with it at times and that the only reason. Given it's simple firewall/routing, it should not add any real overhead but pfSense does not appear to do it well.
That being said, why add work to the firewall that isn't necessary. I have a much larger network than yours and use the same port forwarding internally as externally. Copying your forwarding rules from WAN -> OPT to LAN -> OPT will work. As I said, that is what I do and it works great. Very little overhead, no need for a reverse proxy (what was that about?), and you simply need to have the same config on both interfaces. It really should work.
Let me know if you still need help.
-
"budget considerations and certification requirements"
Those too statements are contradictions. There is zero reason for a EV cert in the scenario as presented.. And they are not cheap.. So if you have budget constraints an unwarranted EV cert would should never have been even considered.
-
I assume you meant those "two" statements. In any case, he had his reasons and he's the expert on the scene. Who are you, or any of these other trolls, to tell him his design is wrong? Make suggestions and offer alternatives–any REAL engineer appreciates the input. But there is never any reason to be insulting. If he feels his "budget considerations and certification requirements" dictate his need for a single EV cert, then that's his business, and who gives two shits what you or anyone else thinks of it.
Politeness counts. Here's a simple rule of thumb: If you wouldn't say it to their face, don't say it here.
-
Was never insulting.. He just took it that way because he was RIGHT.. And wouldn't even listen to other options… Did you even read the full thread.
And yes I meant two, thanks for the spell/grammer check..
As to politeness counts..
"doktornotor, please do not question a design you know nothing about. Just shows ignorance. "Seems pretty hostile to me - which came from the OP.. After dok stated his opinion..
"he's the expert on the scene" Let me fix this for you "he's the person on the scene" ;)
"and who gives two shits what you or anyone else thinks of it."
Very well stated.. Just wanted to have a discussion on what was going on.. I was never "rude" as you make it out.. Nobody was other than the OP getting hostile when questions were asked and options given... You might want to reread this thread, without injecting tone..
-
"Oh noes, no phantom hacks, please. What you really need on WAN side is SNI and reverse proxy for stuff like HTTP/HTTPS. (Can be done LAN side as well, of course, but just pointless - since, after that, you might fix the broken design that's pointing one FQDN to tons of different places depending on port. One machine, one hostname. Using the proper port, like 443 for HTTPS."
–doktornotorFirst reply calls it a "broken design" with "phantom hacks" without thorough knowledge of the problem. In addition, the suggestion is a redesign of a WORKING system that would actually add overhead to the router. Further, the simplest solution to removing NAT reflection, and adding the least amount of overhead, was to use the same port forwarding on the LAN. doktornotor's comment was useless because he clearly did not understand the problem. That's insulting, John, and dcol naturally took offense. If the objective of you guys is to actually help people solve problems, and not try and make them feel stupid, consider what you say and how you say it.
Besides, as much as I love pfSense (and I do), I've reviewed a great deal of the pfSense code, some written by doktornotor and others (can't recall if I've seen yours, John), and it leaves a lot to be desired--like most software out there. You pfSense developers are living in a glass house and should consider the stones you throw.
-
You might want to reread this thread, without injecting tone..
There is a consistent tone of condescension, ridicule, belittling, rudeness, arrogance and a plethora of other adjectives, in these pfSense forums. The likes of which would not be tolerated in many (maybe even most) technical forums. So yes the tone is there, and it is being heard loud and clear.
It's deserving of smites.
It is really kind of sad because some of those people are very network knowledgeable. But their tone is a great detractor.
-
I believe it's called "Netiquette" and the lack of it is what has driven me away from the open source world. I participate here because pfSense is awesome.
Ironically, I have found the pfSense forums to be generally good as regards courtesy. This thread is something of an exception in my experience.
-
@johnpoz
I was reading this old thread and was amazed that the reverse proxy wasn't mentioned earlier. Altough i have some issue related to this post as well.Let me explain my situation:
I am 1 step further i set up a reverse proxy that does a lot all on port 443.
It hase several web services on seperate servers behind it also SSH some protected with a client cert, and i got even RDP working in sort of a poor man's RDP gateway so yes i can RDP to multiple machines by connecting to the same address. Some fictive examples:abc.example.com:443 -->webserver 1
xyz.example.com:443 -->webserver 2
def.vpn.example.com:443 --> webserver 3 also you need a client cert to connect.
aaa.ssh.example.com:443 --> ssh to a server
rdp.example.com:443 --> rdp to several servers, when you connect your user name should be formatted: servername\usernameNow all works as designed, but when i am on my lan i want to connect to to the same addresses from intern as i do from outside. For some reason nat reflection broke after some update of pfSense and never got it working again. When i connect from inside it is reflected to the right server but it serves the certificate of my isp's modem?? Which is strange because that cert is only in the modem not in the pfSense box.
I enabled HTST in all connections in the reverse proxy so because of the cert issue i cannot connect from inside (if i turn that of it works with the wrong cert so you get nasty messages). Also using the internal DNS trick to skip the NAT reflection hack all together will not work because i am used to use all services on port 443. However all servers have their services configured on all kind of ports so i have to start remembering what to connect on which port when using the DNS solution.Any idea how comes my modem cert is showing when using NAT refelection? O yeah one last important thing the modem is not in bridge it is just routing as well and i have put my pfsense box in DMZ of the modem to forward everything to the pf Sense box and let that do it's thing.
Like i said it worked for years and broke with pfSense version 2.4.5.
