Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Outbounding traffic from LAN

    Firewalling
    3
    14
    283
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      19Giugno last edited by

      Hi there,
      once again I am new to firewalling, so I easily get lost with simple problems.

      Here the situation:
      I have a pfSense firewall, basic Nat, OpenVPN, and DNS Resolver configured. In my LAN I have a web server that should be accessible only from a whitelist of external IPs and from OpenVPN and LAN clients. With the current set up everything is working, but from the machines in the LAN I cannot surf any https websites (a part from the onces specified in the DNS Resolver table).

      I am attaching the screenshot of my current set up, hopefully you guys will be able to help me.

      IBO_Web is my web server.
      Rules_Wan.png Rules_Lan.png Nat.png DNS_Resolver.png

      Thanks,
      D.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        @19Giugno said in Outbounding traffic from LAN:

        but from the machines in the LAN I cannot surf any https websites (a part from the onces specified in the DNS Resolver table).

        Huh?

        Are you natting outbound traffic on lan to 443? Why do you have the rule IBO_WEB port 443 on your lan? Then calling it nat rule?

        You understand that something on the lan talking to an IP on your lan - is never going to talk to pfsense.. Your rule above that rule you have desc nat https traffic would allow clients on the lan to go anywhere on the internet they want. And wuld never be evaluated even.

        Are you using proxy, IPS, some odd outbound nat on lan?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • 1
          19Giugno last edited by

          Hi johnpoz. if I disable the nat https traffic rule, then nothing changes: websites still unreachable, but from lan I can get the internal websites. If I disable the nat on 443 then websites work, but I cannot get the internal websites.

          I am not using any proxy, or anything else, just the DNS forwarder.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by johnpoz

            Ok lets get some actual details..

            You have a client and your trying to go to say https://www.google.com, does it resolve??? Can you ping www.google.com and it comes back with an IP?

            What error do you get in your browser?

            If your trying to go to https://www.somedomain.tld that resolves on the public to public IP 1.2.3.4, but hosted on your internal network... Then just create host override so www.somedomain.tld resolves to the local rfc1918 address - pfsense never talkked to for the actual connection only the dns lookup.

            If your wanting www.somedomain.tld.. to resolve to your public IP while you on your own network then you would have to setup nat reflection... Which is really not the optimal solution... Just use host override.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 1 Reply Last reply Reply Quote 0
            • 1
              19Giugno @johnpoz last edited by

              @johnpoz said in Outbounding traffic from LAN:

              Ok lets get some actual details..

              You have a client and your trying to go to say https://www.google.com, does it resolve??? Can you ping www.google.com and it comes back with an IP?

              What error do you get in your browser?

              If your trying to go to https://www.somedomain.tld that resolves on the public to public IP 1.2.3.4, but hosted on your internal network... Then just create host override so www.somedomain.tld resolves to the local rfc1918 address - pfsense never talkked to for the actual connection only the dns lookup.

              If your wanting www.somedomain.tld.. to resolve to your public IP while you on your own network then you would have to setup nat reflection... Which is really not the optimal solution... Just use host override.

              Hi again,
              if I go to httos://www.google.com I get
              This site can’t be reached The connection was reset.
              Try:

              Checking the connection
              Checking the proxy and the firewall
              Running Windows Network Diagnostics
              ERR_CONNECTION_RESET

              Ping will return 216.58.201.36 which I assume is correct.

              Can you please tell me how to create the host override? As you can see I have added an entry to the DNS resolver, but this doesn't help.

              Thanks,
              D.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                so when your client pings whatever.com that you have pointing to 192.168.22.3 what IP returns? You sure your client actually using pfsense or its dns?

                You sure your client is not using a proxy?

                Without a proxy or ips... pfsense not going to do anything with your traffic other than allow it or deny it. Are you saying you can go to any http site just fine?

                Please post your outbound nats - you just have them on automatic right? Your not using any sort of vpn client setup on pfsense, etc. etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                1 1 Reply Last reply Reply Quote 0
                • 1
                  19Giugno @johnpoz last edited by

                  @johnpoz said in Outbounding traffic from LAN:

                  so when your client pings whatever.com that you have pointing to 192.168.22.3 what IP returns? You sure your client actually using pfsense or its dns?

                  You sure your client is not using a proxy?

                  Without a proxy or ips... pfsense not going to do anything with your traffic other than allow it or deny it. Are you saying you can go to any http site just fine?

                  Please post your outbound nats - you just have them on automatic right? Your not using any sort of vpn client setup on pfsense, etc. etc.

                  When my client ping s mysite.com it returns the public IP address of the newtork. So I guess they are using their internal DNS?

                  Attached the outbound NAT.

                  Thanks.!

                  Outbound_Nat.png

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    @19Giugno said in Outbounding traffic from LAN:

                    When my client ping s mysite.com it returns the public IP address of the newtork.

                    Then your client is not using pfsense for dns.. Since you have the host override there - or you put it in the wrong place... If your using resolver the host overrides go in the resolver, if your using the forwarder, then the host overrides go in the forwarder section.

                    Ok your outbound look fine.. you have 2 networks 22 and 228? Or is 228 a vpn tunnel network you setup?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                    1 1 Reply Last reply Reply Quote 0
                    • 1
                      19Giugno @johnpoz last edited by

                      Ok your outbound look fine.. you have 2 networks 22 and 228? Or is 228 a vpn tunnel network you setup?

                      It is a VPN tunnel.

                      The overrides are in the resolver.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        well then if your clients were asking pfsense for dns that is what would be returned.. I use overrides every day all day, add them and remove them all the time... Its almost impossible for that to get messed up... Unless you never actually applied them and unbound did not actually restart..

                        Common problem is client not actually ask pfsense for dns..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                        1 1 Reply Last reply Reply Quote 0
                        • 1
                          19Giugno @johnpoz last edited by

                          @johnpoz said in Outbounding traffic from LAN:

                          well then if your clients were asking pfsense for dns that is what would be returned.. I use overrides every day all day, add them and remove them all the time... Its almost impossible for that to get messed up... Unless you never actually applied them and unbound did not actually restart..

                          Common problem is client not actually ask pfsense for dns..

                          OK, how can I check this?

                          1 Reply Last reply Reply Quote 0
                          • A
                            Actionhenk last edited by Actionhenk

                            Do an ipconfig /all from your windows box and check if the dns is pointing to the proper IP of your pfsense box ( you should also check the interfaces pfsense dns is listening on on the resolver tab), try a nslookup www.yoursite.com <ip of your pfsense box> if it resolves correctly you should see a response:

                            d74442b2-fee0-4d43-a0a1-fd99a3425958-image.png

                            if your dns IP is anything other then your pfsense box, manually change it or check the dhcp settings on the pfsense box and set the correct dns IP to be distributed to your clients (dont know your setup but maybe you still have a dhcp from a isp/modem running giving out wrong dns ip ?)

                            1 1 Reply Last reply Reply Quote 0
                            • 1
                              19Giugno @Actionhenk last edited by

                              @Actionhenk said in Outbounding traffic from LAN:

                              Do an ipconfig /all from your windows box and check if the dns is pointing to the proper IP of your pfsense box ( you should also check the interfaces pfsense dns is listening on on the resolver tab), try a nslookup www.yoursite.com <ip of your pfsense box> if it resolves correctly you should see a response:

                              d74442b2-fee0-4d43-a0a1-fd99a3425958-image.png

                              if your dns IP is anything other then your pfsense box, manually change it or check the dhcp settings on the pfsense box and set the correct dns IP to be distributed to your clients (dont know your setup but maybe you still have a dhcp from a isp/modem running giving out wrong dns ip ?)

                              Thanks @Actionhenk , adding the pfsense as DNS to the machines make the job! Thanks a lot!

                              D.

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by

                                @19Giugno said in Outbounding traffic from LAN:

                                adding the pfsense as DNS to the machines make the job!

                                Not adding - ONLY!! You can not point multiple dns that do not resolve the same stuff or your going to have a bad day.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post