[solved] NAT Reflection, SSL, and Calibre

Naenyn · Mar 18, 2018, 5:49 PM

Hello!

I recently went through the process of getting a SSL cert and got all my services set up to use it. I run a handful of services on a couple different systems on my LAN and forward ports to them so that they're accessible via the WAN. Everything works fantastic.. with one exception: Calibre. It works fine when accessed via the WAN. However, if I access Calibre from a web browser within my LAN, I get a security error because the server's local name doesn't match those in the cert. I can continue anyway in my browser and things work fine. The problem arises when I attempt to do the same thing from an ebook reader app. They immediately error (I'm assuming due to the cert naming issue).

I did some research to see if it would be possible to route requests on my LAN to Calibre out such that they appear to come in from the WAN and have responses take the same route back such that SSL works properly. I would only want to do this for requests to Calibre (not all traffic). It looks like NAT Reflection would do exactly this. I spent some time fiddling with it, but haven't had success making it work.

Has anyone run in to this sort of situation? Should NAT Reflection do what I'm looking to do? Is what I'm looking to do even possible, considering SSL is thrown in to the mix?

Thanks for the help!

-n

Grimson · Mar 18, 2018, 5:54 PM

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks you want method 2.

Naenyn · Mar 18, 2018, 6:07 PM

Thanks for the speedy response!

I've read that link a few times in my attempts to get this to work. I was actually doing that already prior to throwing SSL in to the mix just so I could use the same URL locally that I use remotely.

That worked great previously, but now that I'm using SSL, I get security errors when I try method 2.

Thoughts?

viragomann · Mar 18, 2018, 7:43 PM

If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

However, "NAT reflection + proxy" should also be a solution for you.

Naenyn · Mar 18, 2018, 7:59 PM

@viragomann:

If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

Ah! That worked. However, now I've got an error in Calibre. :'( Have reported that on the Calibre forums. I'll circle back around here once it is resolved.

Thanks!

Naenyn · Mar 19, 2018, 12:07 AM

Just to follow up. It turns out that the eBook app I was using with Calibre doesn't support SSL! I tried an alternative and it is working great with the split DNS configuration. The fix was to use the FQDN from my cert for the split DNS entry.

Thanks for the help, guys!