Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense and internal port forwarding redirection

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 179 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trinitech
      last edited by

      Hi all,

      I have 2x pfSense in HA and 2 public IP.

      I have a cluster of 4 servers with all 4 being load balancers (HA Proxy ) in order to achieve high availability.

      When we are trying to generate a web ssl certificate using let’s encrypt, the generation is done on the first server in the cluster, which also creates a standalone service to solve the challenge that proves the domain is ours. If the request comes in on one of the other three load balancers, that request is redirected towards the public IP port 80 of the first server, but that connection can’t be made for some reason.
      If I try to use telnet from server2 to connect to server1, I get no response

      [root@Server-02 clustercs]# telnet 19x.12.14.3x 80
Trying 19x.12.14.xx...

      The same goes for wget mydomain.co.uk

      [root@Server-02 clustercs]# wget mydomain.co.uk
--2020-02-24 12:39:49-- http://mydomain.co.uk/
Resolving mydomain.co.uk (mydomain.co.uk)... 19x.12.14.3x, 19x.12.14.4x, 19x.12.14.4x, ...
Connecting to mydomain.co.uk (mydomain.co.uk)|194.12.14.39|:80... failed: Connection timed out.
Connecting to mydomain.co.uk (mydomain.co.uk)|194.12.14.40|:80...
^C

      I saw the following in the pfSense documentation:

      By default, pfSense® software does not redirect internally connected devices to reach forwarded ports and 1:1 NAT on WAN interfaces. If a client is trying to reach a service on port 80 or 443 (or the port a web interface is using if it has been changed), the connection will hit the web interface and they will be presented with a certificate error if the GUI is running HTTPS, and a DNS rebinding error since it’s an unrecognized hostname.

      Could anyone please help me understand on the best approach to solve my issue?

      I looked at ‘Split DNS’ but I cannot figure of what domain I should be entering and I also not sure if NAT Reflection is what I need.

      If using NAT Reflection, do I need to rebuild all my existing NAT rules?
      As pfSense In HA so I need to be careful not to break the HA part when messing with NAT.

      Thank you all in advance

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.