Unable to surf to internal webserver when using lan.



  • I have the following setup;

    Wan address x.x.x.248
    Firewall nat 1:1 & Virtual ip adress  wan x.x.x.254

    Firewall

    Wan
    Pass IPv4 TCP * * x.x.x.4 80 (HTTP) *
    Pass IPv4 TCP * * x.x.x.4 443(HTTPS) *

    DMZ
    Reject Any DMZ net * LAN net * *
    Pass  Any * * * *

    LAN
    Pass IPv4 TCP 10.0.6.0/24 * * 80 (HTTP) *
    Pass IPv4 TCP 10.0.6.0/24 * * 443 (HTTPS) *

    Webserver is using the x.254 external address - works great!

    However - if I set up i client on the lan  (10.0.6.10 for example)- i can surf on to the internet but, I can't reach the webserver sites (the one with the wan address x.x.x.x.254) and get Potential DNS Rebind attack
    I'm guessing this has something to do with another firewall rule.
    Any ideas?



  • If you want to reach your webserver by its public host name

    • set up an internal DNS with its internal IP address (split DNS) or if pfSense is your DNS add a host override or activate NAT reflection in the NAT rule.

    • add a rule to the LAN interface to allow LAN hosts to access the DNS server.



  • Added a site below Host Overrides in DNS Forwarder.
    Host      Domain        IP
    Example example.org  1.2.3.4  (dmz address)

    add a rule to the LAN interface to allow LAN hosts to access the DNS server.

    Could you describe more in detail how such rule would look like?

    Thanks in advance!



  • You have to allow port 53 TCP/UDP access to pfSense:

    
    Pass IPv4 TCP/UDP LAN net * This Firewall 	53 (DNS) 	* 	none 	  	DNS access 	
    
    


  • Right, I have added that rule in firewall below Lan.
    Cleared cache in the webbrowser, but I still get dns rebind attack.

    EDITED:

    Looking more into Dns forwarder, I'm wondering if I have configured it correctly.
    If i run```
    nslookup google.com

    Add screenshot from Dns Forwarder
    
    EDITED #2
    
    Added my nslookup as attachment.
    I belive I would show my Pfsense as first dns, but it dosen't.
    
    ![Dnsforwarder.PNG](/public/_imported_attachments_/1/Dnsforwarder.PNG)
    ![Dnsforwarder.PNG_thumb](/public/_imported_attachments_/1/Dnsforwarder.PNG_thumb)
    ![nslookupgoogle.PNG](/public/_imported_attachments_/1/nslookupgoogle.PNG)
    ![nslookupgoogle.PNG_thumb](/public/_imported_attachments_/1/nslookupgoogle.PNG_thumb)


  • Bump

    I think the question is "how do I setup dns forwarder correctly".


Log in to reply