pfSense and internal port forwarding redirection



  • Hi all,

    I have 2x pfSense in HA and 2 public IP.

    I have a cluster of 4 servers with all 4 being load balancers (HA Proxy ) in order to achieve high availability.

    When we are trying to generate a web ssl certificate using let’s encrypt, the generation is done on the first server in the cluster, which also creates a standalone service to solve the challenge that proves the domain is ours. If the request comes in on one of the other three load balancers, that request is redirected towards the public IP port 80 of the first server, but that connection can’t be made for some reason.
    If I try to use telnet from server2 to connect to server1, I get no response

    [root@Server-02 clustercs]# telnet 19x.12.14.3x 80
    Trying 19x.12.14.xx...
    

    The same goes for wget mydomain.co.uk

    [root@Server-02 clustercs]# wget mydomain.co.uk
    --2020-02-24 12:39:49-- http://mydomain.co.uk/
    Resolving mydomain.co.uk (mydomain.co.uk)... 19x.12.14.3x, 19x.12.14.4x, 19x.12.14.4x, ...
    Connecting to mydomain.co.uk (mydomain.co.uk)|194.12.14.39|:80... failed: Connection timed out.
    Connecting to mydomain.co.uk (mydomain.co.uk)|194.12.14.40|:80...
    ^C
    

    I saw the following in the pfSense documentation:

    By default, pfSense® software does not redirect internally connected devices to reach forwarded ports and 1:1 NAT on WAN interfaces. If a client is trying to reach a service on port 80 or 443 (or the port a web interface is using if it has been changed), the connection will hit the web interface and they will be presented with a certificate error if the GUI is running HTTPS, and a DNS rebinding error since it’s an unrecognized hostname.
    

    Could anyone please help me understand on the best approach to solve my issue?

    I looked at ‘Split DNS’ but I cannot figure of what domain I should be entering and I also not sure if NAT Reflection is what I need.

    If using NAT Reflection, do I need to rebuild all my existing NAT rules?
    As pfSense In HA so I need to be careful not to break the HA part when messing with NAT.

    Thank you all in advance


Log in to reply