ACME + HAProxy only reachable from WAN



  • Hello,

    I'm rather new to pfSense and have succesfully managed to set up HA proxy with certificates to reach some servers with an url. When I'm outside of my network I can reach the server with valid certificate using the url. When I'm inside my network this isn't working.

    I tried turning on NAT reflection but this doesn't seem to work.

    Works: WAN -> https://nas.domain.com --> HA-Proxy -> NAS (on LAN)
    Doens't work: LAN -> https://nas.domain.com --> HA-Proxy -> NAS (on LAN)

    Any tips on how to solve this?


  • LAYER 8 Global Moderator

    @GleDel said in ACME + HAProxy only reachable from WAN:

    Any tips on how to solve this?

    Yeah use local dns to resolve nas.domain.com to your local IP vs pointless nat reflection.



  • @johnpoz

    I tried that but this doesn't seem to be working as it should be. I don't think its using HAProxy.

    When I navigate to https://nas.domain.com/ on my LAN it redirects to https://nas.domain.com:5001/.

    Also it doesnt seem to be loading the Let's encrypt certificate.


  • LAYER 8 Global Moderator

    So your doing redirection to port with ha proxy.. This would not work on on local dns pointing nas.domain.com say IP 192.168.1.100 since dns has nothing to do with port.

    I take it this is your synology nas, with that port 5001.. I would for starters NOT open to the public internet - EVER!!!

    Why would you not just save a bookmark in your browser?? Example here is mine..

    bookmark.jpg

    Again - I would highly suggest you rethink making your DSM port open to the public - it is a very unsecure thing to do!!!

    If you want to admin or get files off your dsm while your remote - use a vpn connection to pfsense..



  • If you want HA Proxy to handle internal traffic you will need another ha-proxy frontend that listens on an internal ip. You will then have to create a propper DNS entry pointing to that IP



  • Haproxy can receive traffic on the pfsense-wan ip that comes from a internal network just fine (normally at least, maybe if its a ppp interface that could change things.).. Using split-dns tricks isn't needed either..
    I do agree that opening the admin page of a consumer NAS to the world-wide-web wouldn't be advisable. (Perhaps if you secure it by using client-certificates it would be okay..) For this purpose listening on a lan-ip with a specific frontend could be nice to have some separation..

    As for why it doesn't currently work.. thats pretty much impossible to tell without some more information about what you did and didn't configure.. Perhaps sharing a haproxy.cfg from bottom of settings tab would help us help you..? Or telling something about your network layout / subnets / IPs used for client / pfSense / NAS.


Log in to reply