Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] NAT Reflection, SSL, and Calibre

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 733 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Naenyn
      last edited by

      Hello!

      I recently went through the process of getting a SSL cert and got all my services set up to use it. I run a handful of services on a couple different systems on my LAN and forward ports to them so that they're accessible via the WAN. Everything works fantastic.. with one exception: Calibre. It works fine when accessed via the WAN. However, if I access Calibre from a web browser within my LAN, I get a security error because the server's local name doesn't match those in the cert. I can continue anyway in my browser and things work fine. The problem arises when I attempt to do the same thing from an ebook reader app. They immediately error (I'm assuming due to the cert naming issue).

      I did some research to see if it would be possible to route requests on my LAN to Calibre out such that they appear to come in from the WAN and have responses take the same route back such that SSL works properly. I would only want to do this for requests to Calibre (not all traffic). It looks like NAT Reflection would do exactly this. I spent some time fiddling with it, but haven't had success making it work.

      Has anyone run in to this sort of situation? Should NAT Reflection do what I'm looking to do? Is what I'm looking to do even possible, considering SSL is thrown in to the mix?

      Thanks for the help!

      -n

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks you want method 2.

        1 Reply Last reply Reply Quote 0
        • N
          Naenyn
          last edited by

          Thanks for the speedy response!

          I've read that link a few times in my attempts to get this to work. I was actually doing that already prior to throwing SSL in to the mix just so I could use the same URL locally that I use remotely.

          That worked great previously, but now that I'm using SSL, I get security errors when I try method 2.

          Thoughts?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

            However, "NAT reflection + proxy" should also be a solution for you.

            1 Reply Last reply Reply Quote 0
            • N
              Naenyn
              last edited by

              @viragomann:

              If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

              Ah! That worked. However, now I've got an error in Calibre. :'( Have reported that on the Calibre forums. I'll circle back around here once it is resolved.

              Thanks!

              1 Reply Last reply Reply Quote 0
              • N
                Naenyn
                last edited by

                Just to follow up. It turns out that the eBook app I was using with Calibre doesn't support SSL! I tried an alternative and it is working great with the split DNS configuration. The fix was to use the FQDN from my cert for the split DNS entry.

                Thanks for the help, guys!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.