Sympton: Clients not being routed OUT the network to HIT Virtual IPs
-
Hello:
The setup:
We are working with pfsense 2.4.3, with Verizon FIOS Static IPs (lets say 123.12.1.166). We also have a another static IP that is setup as a Virtual IP in pfsense (lets say 123.12.1.167) for a webserver. We have a FQDN linked to 123.12.1.167 that resolves to junk.cat.org. We also have a let's encrypt SSL on junk.cat.org.The Problem:
Internal clients are hitting the Virtual IP directly and being redirected pfsense. i noticed the untrusted self signed certificate message of the PFSense management login page.Trace Route Data (internal client).
From a win10 client in the office (behind pfsense) the tracert to the virtual IP (123.12.1.167) yields 1 hop to the host.Trace Route Data (external client)
From a win10 client from my home the tracert on the virtual IP (123.12.1.167) yields 2 hops to the host . 1 hop to my router (192.168.1.1) then the other to the Virtual IP (123.12.1.167). Probably not relevant: I use Verizon Fios at home as well.Question:
What is the best method to resolve this? Is there a way to force all traffic out threw pfsense gateway (192.168.1.1) to come back in to the network to Hit the Static/Public IP?Extra (This might be related) :
While i write this i recall another issue that we could not find a solution and defaulted to a workaround. To use OPENVPN on the network (behind pfsense)to a host in the pfsense DMZ we always need to use a mobile hotspot to connect using openVPN to access DMZ Hosts.Thanks in advance for the troubleshooting tips.
-
Best choices are:
- Fix your local DNS so the hostname resolves to the local address of the web server and not the firewall. (Split DNS)
- Enable NAT reflection so requests to the external IP address:port are redirected into the local server (not ideal, but still works)
- Setup pfSense with HAProxy so it acts as a proxy instead of only performing NAT functions (more complicated, more room for error, but also works around the problem)