Sympton: Clients not being routed OUT the network to HIT Virtual IPs
We are working with pfsense 2.4.3, with Verizon FIOS Static IPs (lets say 188.8.131.52). We also have a another static IP that is setup as a Virtual IP in pfsense (lets say 184.108.40.206) for a webserver. We have a FQDN linked to 220.127.116.11 that resolves to junk.cat.org. We also have a let's encrypt SSL on junk.cat.org.
Internal clients are hitting the Virtual IP directly and being redirected pfsense. i noticed the untrusted self signed certificate message of the PFSense management login page.
Trace Route Data (internal client).
From a win10 client in the office (behind pfsense) the tracert to the virtual IP (18.104.22.168) yields 1 hop to the host.
Trace Route Data (external client)
From a win10 client from my home the tracert on the virtual IP (22.214.171.124) yields 2 hops to the host . 1 hop to my router (192.168.1.1) then the other to the Virtual IP (126.96.36.199). Probably not relevant: I use Verizon Fios at home as well.
What is the best method to resolve this? Is there a way to force all traffic out threw pfsense gateway (192.168.1.1) to come back in to the network to Hit the Static/Public IP?
Extra (This might be related) :
While i write this i recall another issue that we could not find a solution and defaulted to a workaround. To use OPENVPN on the network (behind pfsense)to a host in the pfsense DMZ we always need to use a mobile hotspot to connect using openVPN to access DMZ Hosts.
Thanks in advance for the troubleshooting tips.
Best choices are:
- Fix your local DNS so the hostname resolves to the local address of the web server and not the firewall. (Split DNS)
- Enable NAT reflection so requests to the external IP address:port are redirected into the local server (not ideal, but still works)
- Setup pfSense with HAProxy so it acts as a proxy instead of only performing NAT functions (more complicated, more room for error, but also works around the problem)