Wondering how to port forward to my Name Server and other locations after leaving Airport Extreme behind.



  • So, this is my first attempt at pfsense configuration and I'm a bit lost.

    I was previously using an Airport Extreme which limits me to subnet 255.255.255.0.

    I operate a name server that's public which was port forwarded via port 53 to an internal IP address that belongs to my Ubuntu 16.04 box, which is a LAMP server on the Webmin/VirtualMin platform.

    I was able to get pfsense up and running, but after setting up port forwarding, none of the internal destinations were being reached. My public IP address, which is static, would typically take me to my Apache server, but now takes me to the pfsense system displaying the pfsense login.

    I tried to forward port 80/443, and 53, and various others to the server, but nothing worked.

    At the same time, my name server became invisible to the world through pingdom, etc.

    Is there a configuration concept or setup that I'm missing?

    I'd like to be able to be on a 255.255.240.0 subnet so I can organize the network better and open up the number of hosts available.

    Any help for the n00b would be greatly appreciated.



  • The WebGUI of pfSense listens to port 80 and 443 by default.
    If you want to forward that ports you have to switch the pfSense web server to other ones. You can do that in System > Advanced > Admin Access
    Set a new port which you don't use on internal systems and check "Disable webConfigurator redirect rule" to prevent pfSense from catching port 80.



  • What about DNS?



  • Do you use unbound as DNS Resolver in pfSense, which would be default?
    Make sure it's not serving on your WAN port as well.
    Have you forwarded port 53 TCP and UDP to your server?


  • LAYER 8 Global Moderator

    @arretx said in Wondering how to port forward to my Name Server and other locations after leaving Airport Extreme behind.:

    so I can organize the network better

    To be honest using a larger flat network would not be the direction you should be going.. Why would you not just segment your different types of devices or different security requirements to different segments/vlans so you can control traffic between these local network devices.

    Do you really have somewhere close to 4000 devices?

    So if everything is on one flat network, if something compromises your web server, your whole network is no exposed.

    I have been doing this sort of stuff for 30 years. And large many of them dealing with DNS.. I would never in a million years host my dns on my own connection to the public internet... Even the play domains have for just playing with dnssec and other aspects of dns I host on 2 separate vps boxes in different parts of the globe..

    What is in front of pfsense? If you want to forward anything behind pfsense - it first has to get to pfsense. From your mention of airport extreme I would assume you have pfsense behind a nat. Changing from APE to Pfsense would most likely have pfsense wan IP being different than APE so whatever in front if was forwarding wouldn't be going to pfsense IP now, etc.

    Any issues with port forwarding
    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html



  • @johnpoz I was hosting all of my own websites at Hostgator, and they absolutely suck. So, I decided I should utilize one of the Proliant servers I had just sitting around. That took me down a road of discovering what a LAMP server was.

    I switched from a residential ISP account to a business account with a static IP.

    This is all simply an exercise in learning, so I don't much care about where the server is physically located. With that in mind, I originally had an Airport Extreme managing my routing and WIFI access. When I learned about pfSense I decided to give that a shot, since I have a bunch of old PCs lying around.

    I installed pfSense and removed the Airport Extreme from the equation completely. I added a simple Netgear router and disabled DHCP, fed that into the LAN port on pfSense, and connected the cable modem directly to the WAN port on pfSense.

    Within minutes I was up and running with access to the web.

    From there I started to try to figure out port forwarding so it would behave like the Airport Extreme did. That's when I got stuck.

    The reason I went with 255.255.240.0 was simply to learn how to do it. I don't, nor will I ever have 4000+ devices on my network. But, with home automation and the IoT, I could conceivably reach a few hundred gizmos that need an IP address.

    As far as segments or VLANS are concerned, this is a new concept to me, so I would have to learn how that works before I understand how to utilize it.

    I had limited DHCP in pfSense to a range of 200 devices limited to 192.168.0.xxx and then set static IP addresses for everything else, segmenting the network by the IP Address:

    192.168.1.xxx - Servers
    192.168.2.xxx - Sensors
    192.168.3.xxx - etc., and so on.

    I know that it's overkill, but it's more about learning how to manage this type of setup.

    So, getting traffic to my server has been the challenge. Right now pfSense is offline because I need my server up and running so I can use it while I'm away...but I will attempt to tackle the problem again. I just need to figure out how to properly configure pfSense so my name server doesn't disappear. ;) . Thanks for the input and any advice would be great!


  • LAYER 8 Global Moderator

    I wouldn't host public dns to the public if I had a 10ge pipe.. So your domain only has 1 NS? That is borked right there and to be honest any registrar normally wouldn't even let you do that.. 2 NS is a min..

    if you want to host your web site off your link, sure have at it. But there is zero reason to be hosted there as well. If you want to play and learn about dns - great.. Do it off site, do t for your local domains..

    Just no reason to host public dns on your connection. HE will give you free dns for like 50 domains, dnsmadeasy will for like $30 year you can do 10 domains with like 10million queries on an anycast network.. ts not going to go down.

    You have a power outage and your offline.. You have to reboot your router and your offline, etc.

    Again going to ask what is in front of pfsense when you plug it in? If pfsense gets as rfc1918 address on its wan.. Then the nat device in front of pfsense has to forward to pfsense wan IP anything you would want to forward.

    There are a bajillion hosting sites or where you can get your own vps and do whatever it is you want. The onl;y thing that should be hosted out of your house is maybe your plex server to your friends and family. And they better be ok with it going offline any time you want to play with something, etc..



  • Your opinion of the methodologies is understood, but it's not what I'm asking about. How I should or shouldn't do something is completely up to subjective opinion. I'm neither hosting for myself nor anyone else for any reason other than to learn how it works, so it doesn't matter how many NS's I have, or connections, or etc. I'm focusing on function at this point.

    When I plug in pfSense, on one side (WAN) there's a cable modem, on the other side (LAN), there's a small ethernet switch. The WAN is static (issued by the isp) and thus, statically set in pfSense. At the end of the power cord is a wall with 110v power. I wish I could say that between me and the wall are superpowers that yield extraordinary lighting effects, but I cannot.

    Not much more than that.

    All I want to do is correctly configure pfSense so my name server can be found and so port 80 and 443 forward to apache properly instead of being served by pfSense.


  • LAYER 8 Global Moderator

    So if you get a public IP on pfsense wan, then its as simple as clickity clickity port forward.. It really is that simple.

    Go through the troubleshooting guide I linked to already if your having problems. The first thing to check is that traffic actually hits pfsense wan.

    If it takes you more than a min to troubleshoot a port forwarding problem - then you do not understand the basics. Please walk through the troubleshooting guide and point out anything you have questions on how to do or where its failing.

    here is how to port forward in pfsense
    https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

    If your having problems look to the troubleshooting guide I linked to above.

    Since your static on your public IP.. Send me a chat/pm with your domain and I will look to what it lists as the NS and can validate that your putting that on pfsense wan, etc. etc.



  • I think the root of the problem would be one of the following:

    pfSense is already setup to resolve DNS
    pfSense is already hijacking port 80 and 443 for access to pfSense remotely.

    I was able to port forward other ports, for example, but these 3 (53 / 80 / 443) stumped me...but, as was mentioned above, it may be because I also didn't forward UDP.

    I'll give that a shot and see if I can't work this out. I managed to fire up a LAMP server and configure all of that crap correctly, so I should be able to figure this out.

    My previous tech life was riddled with Microsoft products and their ungodly vocabulary.


  • LAYER 8 Global Moderator

    @arretx said in Wondering how to port forward to my Name Server and other locations after leaving Airport Extreme behind.:

    configure all of that crap correctly, so I should be able to figure this out.

    Ok ;) hehehe following a bouncing ball guide for a LAMP server is a bit different then troubleshooting network/firewall issues. But I have faith in you!

    Pfsense is not hijacking anything.. What ports do you think it should default to for its web admin interface? And yes it runs resolver by default on yes 53 which is the port DNS works on..

    Not sure where your getting the idea that if pfsense is using the ports that you can not forward them through pfsense? You could have issues with nat reflection ok... But just because pfsense listens on 80, doesn't mean you can not forward 80 on a port forward. How exactly are you checking that these ports your forwarding are working? A common misconception is that you can check that they are forwarded from inside pfsense. Just by hitting the wan IP of pfsense from lan side hoping to be forwarded back in (nat reflection) to some other box on your lan - that is not valid way to test port forwards.

    Here - all of 30 seconds to forward dns through pfsense. And yeah pfsense is running unbound on 53.. I fired up a 2k12r2 windows box.. Enabled dns server on it - which I had done for a previous thread asking about dns overrides and then from the outside did a query direct to my pfsense public IP, here you go bing bang zoom.

    0_1529654939388_dnsforward.png

    So again - be more than happy to help you troubleshoot your problem.. Can do the same thing with 80 and 443 even if pfsense is using them for its gui.. Maybe you were testing them from your lan and that is why they are not working since you didn't setup nat reflection? Maybe your trying to hit them via fqdn, and since your dns is not working they are not resolving for your nat reflection or from public?



  • Haha...touche. You're right. It's only hijacking it because it's doing something I wasn't expecting and alas, I shall stomp my feet around and protest in agony. Makes perfect sense that it would be assigned to 80 and 443. Lol.

    Regarding testing, I would either use something like pingdom or just disconnect my mobile device from the lan and use my data connection.

    It's also highly likely that I didn't set the Firewall / Rules / WAN setting and only did Port Forwarding.. 😏 😯

    I'll check back in when I get it rolling correctly.


  • LAYER 8 Netgate

    I would personally set up something like hurricane's free DNS as a slave to pull the zones from your local server and only list them as NS records. That way you:

    • Increase reliability at least a thousand-fold.
    • Don't have to list your local IP address in an NS record.

  • LAYER 8 Global Moderator

    Exactly you could do a hidden master setup.

    Which would be way up the curve when learning dns.. And would be WAY better than actually letting the public internet query to your home connection. An that being the only NS for your domain(s)..

    Hosting anything out of your house is really never going to make sense from cost perspective or maint/uptime point of view. Unless your talking your own personal access to stuff in your home. Or like your media library to your friends an family where it just doesn't make sense to pay for storage of the TB of media files elsewhere. But then again their are many plex servers in the cloud that are very cost effective and if you have a lot of friends and family ;)

    You can host dns for FREE on actual system that doesn't ever go down and is anycast and both ipv4 and ipv6.. Why would you be worried about hosting it. Providing its connectivity is not learning anything about dns..

    Here is what I am going to say, with years of running dns.. If your hosting it yourself and its not just your local dns - your doing it wrong! ;)

    Sure run bind, play with all its features local.. This has zero to do with providing the public with the name services to resolve your services. Host that with someone that does that sort of thing..

    You can run bind off pfsense - the gui makes it easy to play with to get the basics stuff down. I WOULD NOT SUGGEST that be your public NS for your domain(s).. Unbound is a great little resolver - can do some neat stuff with it.. Its not designed to be a authoritative ns.



  • @derelict said:

    Don’t have to list your local IP address in an NS record.

    What's problematic about that if it's a fixed IP?


  • LAYER 8 Netgate

    Because people are sensitive to things like that especially at home.

    It is also likely to be a bit tranistory even if static.

    But the real issue is reliability.

    A DNS provider is going to be many, many times more reliable than some residential connection.



  • OK, so it's no technical issue, more a personal one.
    Thanks for the clarification.


  • LAYER 8 Global Moderator

    Ok the hiding the IP might be personal. But the real reason you might hide your SOA (hidden master dns) is so it doesn't get queried.. So you have your NS local and you can control. On a slow link, etc. But your NSers that everyone uses is out on real connections UP 24x7 and hopefully geographically diverse.

    You can also do a hidden secondary, or slave - where the NS at your location is not in the delegation so doesn't get queried but will maintain a copy of your zone that you can use if the other NSers are down, etc. Or that you can query locally, etc.


Log in to reply