pfsense not using GoDaddy's domain forward, only for internal users



  • Hey so let me try to explain this.
    We have domains we host for other people and set up forwarding so it goes to the site we made for them (which is a page under our main site, but that's how they want it). Externally, everything works fine. Internally, no one can reach it when going to the domain but they can reach the destination normally.

    Also, it looks like pfsense crashed sometime last week, possibly have something to do with it?:

    info (1).0

    The main reason why I think there way be a relationship is if I go on our backup pfsense, everything works normally (after changing gateways on servers and workstations to ensure it is all going to the right place). So for some reason the main pfsense is not redirecting from the DNS like it should, however our backup (exact copy) works normally.

    Any help would be greatly appreciated

    Thank you!


  • LAYER 8 Netgate

    If it was an exact copy they would behave exactly the same.

    Normally the issue you describe is NAT reflection.



  • Normally the issue you describe is NAT reflection.
    

    Yes, I would agree however no NAT rules have changed (or really anything on pfsense). It used to work, and it doesn't anymore



  • bump

    This is driving me crazy. It was working a few weeks ago and there have been no changes. It doesn't make sense

    Basically this is what is going on:

    (internal user)

    1. go to test.example.com (this is setup in the DNS for a 301 redirect to one of our sites)
    2. it times out

    (external user)

    1. go to test.example.com
    2. it loads normally

  • LAYER 8 Netgate

    Great. Show your port forwards. What does the domain resolve to externally? What does the domain resolve to internally?



  • @Derelict said in pfsense not using GoDaddy's domain forward, only for internal users:

    Great. Show your port forwards. What does the domain resolve to externally? What does the domain resolve to internally?

    Fixed NAT reflection problems here about a hear and a half ago:
    alt text

    NAT Inbound:
    ![alt text](image url)

    NAT Outbound:
    alt text
    alt text

    Ok so to explain this a bit. Traffic comes in and hits .50 which is a load balanced cluster of 4 servers (.51-.54). Outbound I put the fail-over IPs ahead of the main IPs, but it doesn't seem to matter as long as the gateway is correct and there is a rule for it. The main IP is the 8.18.xx.xx one

    When going to order.castrolroadside.ca, it will DNS 301 redirect you to https://nsdmc.com/something
    Externally, like if you click it, it works. However internally, like if I click it, we get time out errors.



  • @Derelict said in pfsense not using GoDaddy's domain forward, only for internal users:

    What does the domain resolve to externally? What does the domain resolve to internally?

    The domain that is being forwarded resolves to 184.168.131.241 which is GoDaddy's forwarding IP apparently. The domain it forward to resolves to the correct external IP of our servers.

    For reference, I went into ever place pfsense could be blocking it and I do not see this IP anywhere. I ran a packet caputure and can see it sending packets to the IP [SYN] but not getting anything back in the TCP string



  • Side note: I have set up tests that have it redirect to google.com and other sites besides ours. The forwarding on those do not work either


  • Netgate Administrator

    So it fails accessing both order.castrolroadside.ca and nsdmc.com/something from an internal client?

    When you ran the packet capture which IP was it trying to reach? On the internal interface?

    A 301 redirect is an http function rather than DNS. If it just resolved correctly with DNS I doubt this would be an issue.
    The initial connection to 184.168.131.241 will not be caught by NAT reflection since that's obviously not forwarded locally. I would expect the redirected connection to your WAN to be caught though.

    Steve



  • @stephenw10 said in pfsense not using GoDaddy's domain forward, only for internal users:

    So it fails accessing both order.castrolroadside.ca and nsdmc.com/something from an internal client?

    No. order.castrolroadside.ca fails from an internal user but works normally outside of pfsense. nsdmc.com/something is accessible from both internal and external users

    When you ran the packet capture which IP was it trying to reach? On the internal interface?

    It hit the internal interface (pfsense) and going to 184.168.131.241, but nothing seems to be returned while following the packet trail.

    A 301 redirect is an http function rather than DNS. If it just resolved correctly with DNS I doubt this would be an issue.

    I understand. Just trying to explain the setup we have as that 301 redirect is setup in the same place where the DNS is for that domain.

    The initial connection to 184.168.131.241 will not be caught by NAT replaction since that's obviously not forwarded locally. I would expect the redirected connection to your WAN to be caught though.

    Caught how? Could pfsense be "stripping" the SNI or other parts that would say "I am trying to go to order.castrolroadside.ca" and not "I am trying to go to 184.168.131.241"
    The latter seems like what is going on, since that is the same IP for GoDaddy redirects in their DNS zone

    Example:
    nsd-test.com does not work for me, but if you go there it should redirect you to google


  • Netgate Administrator

    Ok, not a NAT reflection issue if you can't see redirects to an external site either.

    Is it even succeeding with the connection to 184.168.131.241?

    Probably time for a packet capture of the connection or maybe check the browser console.

    Steve



  • @stephenw10 said in pfsense not using GoDaddy's domain forward, only for internal users:

    Is it even succeeding with the connection to 184.168.131.241?

    No, it is not responding to pings where when I ping the IP from my phone it works. This would mean pfsense is blocking it, but I have checked everyplace it could be blocked (pfBlockerNG, Snort, Aliases, etc) and the IP not in there.


  • Netgate Administrator

    Or it could be mis-routed somehow...



  • @stephenw10 said in pfsense not using GoDaddy's domain forward, only for internal users:

    Or it could be mis-routed somehow...

    I am checking every rule that is in place and it doesn't make sense.

    I think it is a godaddy issue. I just tested on one of my personal domains using a different DNS provider (1and1) and it redirected me just fine...



  • Confirmed that it is something in the pfsense. Tested from my homelab, which uses pfsense, and all the redirects work perfectly. I am at a loss for word with all the frustration this is causing


  • Netgate Administrator

    Ok, run a packet capture for that IP on WAN, is it even leaving?

    Mystery disappearing packets... check IPSec tunnels.

    Traffic that is blocked and not logged, check pfBlocker, Snort and Suricata if you have any of those installed.

    Steve



  • @stephenw10 said in pfsense not using GoDaddy's domain forward, only for internal users:

    Ok, run a packet capture for that IP on WAN, is it even leaving?

    Mystery disappearing packets... check IPSec tunnels.

    Traffic that is blocked and not logged, check pfBlocker, Snort and Suricata if you have any of those installed.

    Steve

    The packet capture shows it hitting pfsense main gateway to go out, but I dont think it is leaving. No IPSec, and the IP or my workstation IP does not show up in pfBlockerNG, snort, and custom aliases (as we have a rule for specific hosts/networks to block.)

    It literally just disappears. I'll post a packet capture tomorrow when I get there


Log in to reply