Problem accessing internal webservers via external addresses
-
I could give you the ip, and you couldn't get in. There are no known vulnerabilities (the webservers only does two things, and that is show a webpage to give commands and info), so it's virtually impossible to do anything without the correct username and password. So there's no danger. And I can't connect the physical hardware to more than one VM at the time, so I can't use more than one VM. Of course I could spend around 2000 dollars to get six of each of the hardware, but that would just be dumb.
Seriously, I am fully aware that you know a LOT more than me about pfSense and networking. But I have been doing home automation for many years (I checked, and my first setup was from 1998, it turns out). And my current system runs perfectly, as long as the traffic is forwarded as it should. I have been running version of this system for 4-5 years, and this is the first time I have this problem.
As I said, before I ran an Asus router that forwarded everything inbound to a M0n0wall firewall and split my subnet from the rental flat's subnet, and the M0n0wall sendt the stuff to the VM, with the ports. I never had any problems going from my home net with an address without a port to DynDNS, which changed the address and attached a port, and then back into the VM on my system. But I figured that I would leave M0n0wall (the father of pfSense) because it's too old, and I didn't need the Asus router when the pfSense could both split and forward. Or so I thought.
So again, any idea why I can do my pingpong from the rental flat's subnet, but not on the subnet where the VM is?
-
@mastiff said in Problem accessing internal webservers via external addresses:
but it doesnโt work on the subnet where the VM is. On that subnet the webserver with the standard HTTP port is turned into https and goes to the pfSense web interface, and any of the other webservers times out.
So configure the pfSense web GUI to listen on another port than 443, also uncheck "WebGUI redirect" and activate NAT reflection with proxy mode.
-
@mastiff said in Problem accessing internal webservers via external addresses:
There are no known vulnerabilities
Oh that is funny!!!
But yeah as viragomann stated your going to have to use nat reflection.. What non efficient way to so something... Here let me bounce all the way to some proxy running on the internet (webhop) so it can send my browser a redirect with the port on it. Then I can hit my actual public WAN ip on this port, to get reflected back into a box sitting on my network.. What a fantastic solution that is - vis just say using fqdn:port in your uri and having that fqdn resolve to your rfc1918 address local, and forward it on the public side.
So this runs on windows, and its latest release is from feb of 2016?
Latest release:EventGhost 0.4.1.r1722 [source], Feb 03 2016
-
For the avoidance of misunderstanding, in my opinion also the proxy solution is the better way to do that and offers more options in configuring the application servers. But Mastiff obviously want to get it work as it did for years before.
-
Many home routers nat reflect out of the box.. Anything that nat reflects is borked to be honest.. Nat reflection is just plain abomination if you ask me ;)
Pfsense does not nat reflect out of the box - you have to purposely tell it, hey pfsense I like to do things the F'd way - let me hit you on your wan, just so you can send me back into a box right next to me.. hehehehe
Here is my advice - if your thinking of nat reflection as a way of getting something work, your doing it wrong! ;) Back to the drawing board where you don't have to hairpin connections to get them to work.
-
Who runs on releases? The latest VERSION is 05.06.2018. And as far as I have heard nobody has managed to actually break in and do anything in the webservers of EventGhost and Girder when they didn't know the password and username. There's a difference betwenn no vulnerabilities and no KNOWN vulnerabilities. The known part means that there are nobody who has found it interesting enough to find whatever may be there. Also you need to know what IP and ports to attack, and what kind of program that's behind them too. Of course there are lots of vulnerabilities found in programs that they can actually make money on hacking! But who wants to spend the time hacking something which has few users and nothing of value to find.
And I have asked more than once in this thread how I can do it with proxys when I need to get to the ports I am using. I have said what I need to send out (a regular web adress without a port, so the standard port) and what has to get into the VM from pfSense (another web address, and with a non-standard port). If you could tell me how to do that, I'm all ears. But so far you've only told me how I should be doing it when it isn't possible to do it this way with my programs.
Oh, as for efficiency it doesn't matter. It's text and icons 64x64 pixels that's sendt, there is no discernable difference at all.
Viragomann, THANK YOU!!!! I had the NAT reflection with proxy mode set, but changing the port of the webgui and disabling the "WebGUI redirect" fixed it, and I'm up and running!
-
johnpoz, synchronized posting. Like sync swimming, but without the bathing suit. At least I'm not wearing one, I have no idea what you're wearing...
The thing is that I can only work my system this one way (a limitation in the programs, the webserver is just a tiny part of a what they do), and I don't want it to be visible to the end user. And that means no port in the URL. And the whole system has been built with so many hours, there is no way I'm changing programs to avoid something that may not be clean enough to you purists, but doesn't slow down anything.
-
@johnpoz said in Problem accessing internal webservers via external addresses:
you have to purposely tell it, hey pfsense I like to do things the Fโd way
But to be honest, I also use it for some purposes.
For me, it's the short way to reach my goal. -
@viragomann For some reason I see with my inner eye a tall lady with strange clothing leading a naked queen down the street shouting "shame, shame"!
Oh, and I have no idea what happened, but suddenly my OpenVPN tunnel, which passes through the pfSense box to the server, stopped working! It links my cabin and house together and is an essential part of my system. Can any of the changes made here be responsible, or is it correlation and not causation?
Edit: I've of course restarted everything, but nothing helps.
-
Activating NAT reflection and changing the the web interface port can not bring the vpn down as long as you use another port as the vpn instance.
Don't know if you did some further changes except that. -
I was sort of expecting that answer... ;) I guess my learning curve with pfSense is a bit steeper then I thought. I have been using M0n0wall since forever, and I thought that the fork would be quite similar. At least it's very stable...or stably annoying, mostly since I don't know what I'm doing!
-
About the reverse proxy thing. Can Pound do reverse proxy and add ports? So when the address www.automation.com comes to pfSense and Pound, it will be translated to 192.168.1.20:1234? Because that is of course a better way, I just know that DNSMasq can't do port adding.
-
It sounds like it could work, here's a bit from the manual:
BackEnd A back-end is a definition of a single back-end server Pound will use to reply to incoming requests. All configuration directives enclosed between BackEnd and End are specific to a single service. The following directives are available: Address address The address that Pound will connect to. This can be a numeric IP address, or a symbolic host name that must be resolvable at run-time. If the name cannot be resolved to a valid address, Pound will assume that it represents the path for a Unix-domain socket. This is a mandatory parameter. Port port The port number that Pound will connect to. This is a mandatory parameter for non Unix-domain back-ends.
-
Why want you use different ports? Why not different IP addresses?
You can assign multiple IPs to a single server and assign each to a specific service. So each service can listen on its default port. -
@viragomann said in Problem accessing internal webservers via external addresses:
Activating NAT reflection and changing the the web interface port can not bring the vpn down as long as you use another port as the vpn instance.
Don't know if you did some further changes except that.Feel like an idiot... Now I found out why it didn't work. The previous setup was all ports forwarded to the server, which worked. Then I split it up into series of ports to have the home automation webservers directly accessible from pfSense, instead of via my server. At that time the tunnel was still up. I forwarded the standard OpenVPN port to the server, but forgot one thing: A few years ago I had two tunnels up and running, on different ports! And the one that I still use is on the non-standard port that I had the secondary tunnel on. But it was still working because the tunnel was already up, until I activated Nat reflection, since activating that probably triggered some kind of a reset that broke all connections. So now my tunnel's up and running again.
-
@viragomann said in Problem accessing internal webservers via external addresses:
Why want you use different ports? Why not different IP addresses?
You can assign multiple IPs to a single server and assign each to a specific service. So each service can listen on its default port.Not completely sure I follow you there. I need to have everything running on the same VM. And the services are http, but it's of course not possible to have more than one http service listening on the same port on one computer, as far as I know.
I could split up the webservers on six VM's (I thought a bit wrong about the number of servers I run, each address has two servers, so I'd need to have six VM's for this to work), but it just seems like crazy overkill when it has to be at least Windows 7 running them. I already have five VM's on my server, three of them Windows 7. So I'd have to get a more powerful server to do it. I stated earlier that I'd had to by several sets of hardware for the home automation, but I could of course set up a system with tcp commands between the VM's. Still it's very convoluted.
But I do have one possible idea. The problem is that I don't know if this would work. Maybe some of you can tell me that? pfSense is very lightweight compared to a Windows installation, so running several of those is no problem. And I have two unused network ports on a server NIC. So maybe I could send the address www.automation1.com to the main pfSense, use NAT reflection to send that to internal pfSense 1 that does NAT wich converts www.automation1.com to 192.168.1.20:1234 and passes it on to the automation VM? And then www.automation2.com would be sendt to internal pfSense 2 that converts that to 192.168.1.20:12345, www.automation3.com would go to internal pfSense 3 that converts that to 192.168.1.20:12346 and so on.
Can I have several pfSenses in parallel in this way, as long as I run the DHCP service on only one of them? Or wouldn't it work because the answer would be "confused" as to what pfSense it should go out on? or maybe that doesn't matter because routing out from LAN to WAN (in this case WAN is the outer LAN) always works? It would be two levels of pfSense, the outer level with one and the inner level with six.
-
-
What kind of nonsense rabbit whole you going down??
Do you think you could complex up something more? I have gone over the correct way to do this.. Have fun with such nonsense.
-
I've already told you several times why your way isn't possible with the necessary port setup of the home automation software I use and have several years of development sunk into. But if this is your way of saying "no, that is not possible", then please say that. If it's your way of saying "I have no idea if that's possible", then please say that too, in that case I will experiment with it. I just didn't want to experiment with something that wasn't possible.
Edit: I actually thought that anything that M0n0wall could easily do would be just as easy to do with pfSense, but I was probably wrong.
-
Then you the ports int he url! why do you even need to use different domains... Just use the same one with the different ports on the end.. Its pointless calling out auto1 and auto2.com
You can use whatever ports you want in your reverse proxy.. If you want to send auto1.com to ipaddress:1234 and auto2.com to ipaddress:4567 have at it.
Hitting some outside url, to get sent to your public IP:port - and nat reflect then in if you want will work.. You just need nat reflection setup.
be way simpler to just use the url with port in.. Then you could do split dns and not have to do any of this nonsense.