Unable to access pfsense box using hostname from LAN



  • Hi fellow,

    I cannot access my pfsense box using it's hostname.domain from my LAN. From outside network it's fine, but from LAN it's impossible. The only way I can access the box from LAN is it's local IP address.

    pfsense 2.3.1-RELEASE-p5 (amd64)

    Help from your side will be highly appreciated.

    Regards,
    Nick


  • LAYER 8 Global Moderator

    so I take it your hostname.domain your using is resolving to your public IP..  Why do you not just use a hostname.domain that resolves to your LAN ip..



  • Dear John,

    Thank you for your quick reply.

    Exactly, I'm trying to use my public hostname.domain from my LAN.

    Actually I don't want to use different hostname and domain for my LAN, it's just inconvenient to switch to different hostname.domain when I'm connected to my local network.

    I'm sure pfSense has the capability to resolve my public hostname.domain from my lan, actually when I ping my box using my public hostname.domain it replies from my local IP, but I don't know why my browser can't resolve it from my LAN.

    Regards,
    Nick


  • LAYER 8 Global Moderator

    well is your browser using a proxy?

    so when when you ping this hostname.domain from your lan what comes back.  Why do you feel you should use your public domain on your local network IP?  This make no sense to me to be honest.  So for example my pfsense locally is known as pfsense.local.lan This is how I access it be it local or even when I vpn into my network.  This lan IP has nothing to do with public name.  I do have a few public names that point to my public IP.  But not sure why anyone would want these to be the same?

    To be honest once you create a bookmark to the web gui when your local what does it matter if its a fqdn that resolves on the public internet a local domain or even just an IP..

    Do you really have your web gui interface open to the public internet??  That is a really bad idea!!!



  • Dear John,

    Thanks for the activity. Actually you're right in terms of remote access to my web-interface, it's quite dangerous, but it's a backup plan if something happens to my box and I'm away from home.

    Anyway the only reason trying to use my public hostname.domain is my SSL certificate. When I use another local hostname.domain the SSL certificate is self-signed and it's just inconvenient.

    If there is a chance to use my public hostname.domain in  my local network, honestly I would prefer it.

    I'm looking forward to hearing from you.

    –-
    Regards,
    Nick


  • LAYER 8 Netgate

    Yes.

    Set a host override in your inside DNS server (probably pfSense DNS Resolver or Forwarder) that returns your inside address when the hostname is queried.


  • LAYER 8 Global Moderator

    Use of public domain name because have a signed public cert is again bad logic..  You do understand that pfsense has a CA you can create as many certs as you want for any fqdn you want.  Who exactly accesses this gui - you?  So why does it need to be trusted by the planet at large?  How many different users/browsers access this?

    Just create a cert with the name you use internally and then have your browser trust that CA - 2 seconds of work and there you go pretty green icon when you access your pfsense via its local fqdn..

    So you open your gui to the public as a backup??  Why do you not just vpn if you need to make adjustments to your pfsense settings?  If you need another backup??  I would suggest have someone run teamviewer on a box or run it as a service.  this is more secure than opening up your admin gui for your firewall to the public with a usrename/password as your protection.

    Or sure you could just use an override as Derelict suggest but I feel that is a work around more than proper setup.




  • I created a CA and certificate in pfSense. When I import the CA into Firefox Certificates->Authorities, it results in

    SEC_ERROR_INADEQUATE_CERT_TYPE

    I remove the CA and add the cert as exception to get webgui going. What am I doing wrong?


  • LAYER 8 Global Moderator

    So did you create a Server Cert? From that CA and set your web gui to use that server cert?

    So for example here is me importing mine.. So you can see the ca I created pfsense-ca (very original naming conventtion) hehee There is the cert I created that you can see my webconfig is using with the cn of pfsense.local.lan

    I exported the CA, and then imported it into firefox trusted.. There you 2 seconds and Bobs your Uncle!




  • Thanks. Silly me. I created a user cert. Much better with server cert.


  • LAYER 8 Global Moderator

    That happens way more than you know ;) or would even think possible really… So your saying the web gui came up even using a user cert.. That seems unlikely..  Even if you made exceptions I would think it should even work.

    Mostly see it on the openvpn section.. Should prob be Big Bold letters with examples of usage for the 2 different types...



  • The webgui comes up with a user cert same as using the webConfigurator default cert. It is added as an exception so no green icon but a yellow icon.


  • LAYER 8 Global Moderator

    I have no idea what your doing wrong dude - its 10 seconds to do this.. I have shown you the full setup..  What cert that is being used - if you have it using a user cert than yeah its going to be hosed..  Why would you create a user cert for a webserver??

    As you saw before the name on the cert was strongcert, that is what is being used by my web config, here showing it in the actual web config area.  You can see I have a green icon, you can see that the cert used is signed by my pfsense-ca and that its usage is for webserver auth..

    Post the details of your ca, your cert your using in for web configurator in pfsense and then what cert and what fqdn your using to access the gui..  And the details it shows about the cert.  If you want open it up remote and I will set it up in 10 seconds ;)

    edit:  Here just created a new cert, calling it my supercert I bumped it to 4096 with a sha fo 512.. I also added the IP and another name from one of my other networks wlan.local.lan which on my 192.168.2/24 segment.  I then added that pfsense.wlan.local.lan to my alternative names in the admin section to preven the rebind and reffer protection if hitting that altname.  I changed the web config to use the new supercert.  And there you go can access with green on 2 different pfsense names and their IP address.  Notice the cert is valid for all those uri






  • No. No. It is all good now with your excellent instructions. I also generated certs for my Cisco switch using Cert Manager and openssl. Now I get a green icon in pfSense gui and Cisco switch gui too.

    Thank you for your help.


  • LAYER 8 Global Moderator

    Then what was this about?

    "The webgui comes up with a user cert same as using the webConfigurator default cert."



  • Sorry. Too much information.

    My goof was in creating the cert and did not change setting to type server.


Log in to reply