[SOLVED] Accessing Webserver in DMZ with Domain from inside the LAN

theboda · Apr 10, 2018, 5:40 PM

Hey,

my setup:

Internet <--> Router 192.168.2/24 <--> pfSense  <--> LAN 192.168.1/24
And a DMZ 192.168.3/24 on the other Interface of the pfSense, that can access the internet but not the LAN.
Webserver is in the DMZ

Edit: Router just fowards everything to pfSense.

I got a webserver 192.168.3.117 in the DMZ and I got port forwarding working for port 80 and 443 to the webserver in the DMZ.
Accessing the webserver works like a charm, but I cannot access the webserver from my browser.
I read in forums and blogs that I have to do something with NAT, but I don't know what settings to change.
I already tried turning on the```
NAT Reflection mode for port forwards on "NAT + proxy" and on "Pure NAT"

On the webserver I set a redirect from http -> https.
Somehow I get to the website of my router if I type in 192.168.3.117 into the browser  :o

Best Regards
theboda

Grimson · Apr 10, 2018, 3:39 AM

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

theboda · Apr 10, 2018, 11:14 AM

@Grimson:

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

I tried this.. What interface do I have to select?

KOM · Apr 10, 2018, 1:18 PM

1. You need to configure a port-forward for your web server.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

2. You need to either test from WAN or configure a NAT Reflection mode as per Grimson's link.

3. You need to disable Block private networks on WAN.

theboda · Apr 10, 2018, 2:07 PM

1. I set up port forwarding, I think otherwise I wouldn't be able to connect to the server from outside my network. (via my smartphone)
2. I configured the NAT Reflection mode. See attachement.
3. Okay, I disabled the "Block private neworks" on WAN.
-> Still won't connect.

If I type in my domain or the IP address of my webserver, I get connected with the web interface of my Router..
Any idea what I'm doing wrong?

![Nat Reflection.png](/public/imported_attachments/1/Nat Reflection.png)
![Nat Reflection.png_thumb](/public/imported_attachments/1/Nat Reflection.png_thumb)

KOM · Apr 10, 2018, 3:03 PM

Are you trying to forward the same port that pfSense WebGUI is listening on? If so, you can't do that.

Also, NAT reflection can be a PITA. A slicker solution is to override DNS so that your domain is resolved to the web server's LAN IP addres, not its public address. This is called Split DNS.

theboda · Apr 10, 2018, 5:00 PM

I tried it with the Split DNS, I think the problem is that I want to use https to connect to the webserver.
I configured the webserver in the way that it does this if it gets contacted over port 80:

return 301 https://$server_name$request_uri;

How can I solve this, if I want to use https even in the LAN? Or is this even possible?

Edit: this is my config for the webserver. https://pastebin.com/qqAc6pJS
Followed this tutorial. https://www.linuxbabe.com/ubuntu/install-nextcloud-11-ubuntu-16-04-nginx-config

KOM · Apr 10, 2018, 5:04 PM

I tried it with the Split DNS, I think the problem is that I want to use https to connect to the webserver.

Split DNS is the preferred method, HTTP vs HTTPS has nothing to do with it.

If you want to forward a web server on tcp 80,443 then you're going to have to change the port that WebGUI listens on via System - Advanced - Admin access.

How can I solve this, if I want to use https even in the LAN? Or is this even possible?

Configure your DNS to resolve your domain to the LAN IP of your web server. Change the WebGUI listen port. Done.

theboda · Apr 10, 2018, 5:40 PM

Thank you very much! It works now!