Unable to surf to internal webserver when using lan.

  • I have the following setup;

    Wan address x.x.x.248
    Firewall nat 1:1 & Virtual ip adress  wan x.x.x.254


    Pass IPv4 TCP * * x.x.x.4 80 (HTTP) *
    Pass IPv4 TCP * * x.x.x.4 443(HTTPS) *

    Reject Any DMZ net * LAN net * *
    Pass  Any * * * *

    Pass IPv4 TCP * * 80 (HTTP) *
    Pass IPv4 TCP * * 443 (HTTPS) *

    Webserver is using the x.254 external address - works great!

    However - if I set up i client on the lan  ( for example)- i can surf on to the internet but, I can't reach the webserver sites (the one with the wan address x.x.x.x.254) and get Potential DNS Rebind attack
    I'm guessing this has something to do with another firewall rule.
    Any ideas?

  • If you want to reach your webserver by its public host name

    • set up an internal DNS with its internal IP address (split DNS) or if pfSense is your DNS add a host override or activate NAT reflection in the NAT rule.

    • add a rule to the LAN interface to allow LAN hosts to access the DNS server.

  • Added a site below Host Overrides in DNS Forwarder.
    Host      Domain        IP
    Example example.org  (dmz address)

    add a rule to the LAN interface to allow LAN hosts to access the DNS server.

    Could you describe more in detail how such rule would look like?

    Thanks in advance!

  • You have to allow port 53 TCP/UDP access to pfSense:

    Pass IPv4 TCP/UDP LAN net * This Firewall 	53 (DNS) 	* 	none 	  	DNS access 	

  • Right, I have added that rule in firewall below Lan.
    Cleared cache in the webbrowser, but I still get dns rebind attack.


    Looking more into Dns forwarder, I'm wondering if I have configured it correctly.
    If i run```
    nslookup google.com

    Add screenshot from Dns Forwarder
    EDITED #2
    Added my nslookup as attachment.
    I belive I would show my Pfsense as first dns, but it dosen't.

  • Bump

    I think the question is "how do I setup dns forwarder correctly".

Log in to reply