Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME + HAProxy only reachable from WAN

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 633 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GleDel
      last edited by

      Hello,

      I'm rather new to pfSense and have succesfully managed to set up HA proxy with certificates to reach some servers with an url. When I'm outside of my network I can reach the server with valid certificate using the url. When I'm inside my network this isn't working.

      I tried turning on NAT reflection but this doesn't seem to work.

      Works: WAN -> https://nas.domain.com --> HA-Proxy -> NAS (on LAN)
      Doens't work: LAN -> https://nas.domain.com --> HA-Proxy -> NAS (on LAN)

      Any tips on how to solve this?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @GleDel said in ACME + HAProxy only reachable from WAN:

        Any tips on how to solve this?

        Yeah use local dns to resolve nas.domain.com to your local IP vs pointless nat reflection.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        G 1 Reply Last reply Reply Quote 0
        • G
          GleDel @johnpoz
          last edited by GleDel

          @johnpoz

          I tried that but this doesn't seem to be working as it should be. I don't think its using HAProxy.

          When I navigate to https://nas.domain.com/ on my LAN it redirects to https://nas.domain.com:5001/.

          Also it doesnt seem to be loading the Let's encrypt certificate.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your doing redirection to port with ha proxy.. This would not work on on local dns pointing nas.domain.com say IP 192.168.1.100 since dns has nothing to do with port.

            I take it this is your synology nas, with that port 5001.. I would for starters NOT open to the public internet - EVER!!!

            Why would you not just save a bookmark in your browser?? Example here is mine..

            bookmark.jpg

            Again - I would highly suggest you rethink making your DSM port open to the public - it is a very unsecure thing to do!!!

            If you want to admin or get files off your dsm while your remote - use a vpn connection to pfsense..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              Mats
              last edited by

              If you want HA Proxy to handle internal traffic you will need another ha-proxy frontend that listens on an internal ip. You will then have to create a propper DNS entry pointing to that IP

              P 1 Reply Last reply Reply Quote 0
              • P
                PiBa @Mats
                last edited by

                Haproxy can receive traffic on the pfsense-wan ip that comes from a internal network just fine (normally at least, maybe if its a ppp interface that could change things.).. Using split-dns tricks isn't needed either..
                I do agree that opening the admin page of a consumer NAS to the world-wide-web wouldn't be advisable. (Perhaps if you secure it by using client-certificates it would be okay..) For this purpose listening on a lan-ip with a specific frontend could be nice to have some separation..

                As for why it doesn't currently work.. thats pretty much impossible to tell without some more information about what you did and didn't configure.. Perhaps sharing a haproxy.cfg from bottom of settings tab would help us help you..? Or telling something about your network layout / subnets / IPs used for client / pfSense / NAS.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.