• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] NAT Reflection, SSL, and Calibre

Scheduled Pinned Locked Moved NAT
6 Posts 3 Posters 765 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Naenyn
    last edited by Mar 19, 2018, 12:07 AM Mar 18, 2018, 5:49 PM

    Hello!

    I recently went through the process of getting a SSL cert and got all my services set up to use it. I run a handful of services on a couple different systems on my LAN and forward ports to them so that they're accessible via the WAN. Everything works fantastic.. with one exception: Calibre. It works fine when accessed via the WAN. However, if I access Calibre from a web browser within my LAN, I get a security error because the server's local name doesn't match those in the cert. I can continue anyway in my browser and things work fine. The problem arises when I attempt to do the same thing from an ebook reader app. They immediately error (I'm assuming due to the cert naming issue).

    I did some research to see if it would be possible to route requests on my LAN to Calibre out such that they appear to come in from the WAN and have responses take the same route back such that SSL works properly. I would only want to do this for requests to Calibre (not all traffic). It looks like NAT Reflection would do exactly this. I spent some time fiddling with it, but haven't had success making it work.

    Has anyone run in to this sort of situation? Should NAT Reflection do what I'm looking to do? Is what I'm looking to do even possible, considering SSL is thrown in to the mix?

    Thanks for the help!

    -n

    1 Reply Last reply Reply Quote 0
    • G
      Grimson Banned
      last edited by Mar 18, 2018, 5:54 PM

      https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks you want method 2.

      1 Reply Last reply Reply Quote 0
      • N
        Naenyn
        last edited by Mar 18, 2018, 6:07 PM

        Thanks for the speedy response!

        I've read that link a few times in my attempts to get this to work. I was actually doing that already prior to throwing SSL in to the mix just so I could use the same URL locally that I use remotely.

        That worked great previously, but now that I'm using SSL, I get security errors when I try method 2.

        Thoughts?

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by Mar 18, 2018, 7:43 PM

          If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

          However, "NAT reflection + proxy" should also be a solution for you.

          1 Reply Last reply Reply Quote 0
          • N
            Naenyn
            last edited by Mar 18, 2018, 7:59 PM

            @viragomann:

            If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

            Ah! That worked. However, now I've got an error in Calibre. :'( Have reported that on the Calibre forums. I'll circle back around here once it is resolved.

            Thanks!

            1 Reply Last reply Reply Quote 0
            • N
              Naenyn
              last edited by Mar 19, 2018, 12:07 AM

              Just to follow up. It turns out that the eBook app I was using with Calibre doesn't support SSL! I tried an alternative and it is working great with the split DNS configuration. The fix was to use the FQDN from my cert for the split DNS entry.

              Thanks for the help, guys!

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received