Certificate problem when accessing trough WAN when using it as default gw.

talishka · Apr 22, 2020, 5:50 PM

Hi!

I'm having a little issue, first my configuration:

pfsense

WAN 200.69.X.X
WAN Virtual Ip 200.69.X.22
LAN 192.168.111.1

internal server

IP 192.168.111.55
GW 192.168.111.1

I have created the NAT & Port forwarding from 200.69.X.22 to 192.168.111.55 and it's working great.

I've installed a certificate for my website on 192.168.111.55 (server inside the lan) and its working ok from outside, or for users who are not using 192.168.111.1 as default gateway.

In my case i use 192.168.111.1 as default gateway on my workstation, when i try to access the website, i get a NET::ERR_CERT_COMMON_NAME_INVALID error, and shows me the certificate installed in the pfsense gui.. i've tried with Pure NAT but it doesn't work at all, it's stays on connecting status.

e-1-1 · Apr 22, 2020, 5:52 PM

You have any Squid proxy intercepting TLS traffic?
when accessing IP 192.168.111.55 directly from inside the LAN, is the certificate presented the one you expect? (browser probably throws an error because the cert doesn't match the IP, but check SHA-whatever thumbprint and public key if it's what you really have installed)
you have a local (host / separate DNS server / pfSense) DNS entry for your site that somehow points to the gateway instead of 192.168.111.55?
are you redirecting (NAT) HTTPS traffic from inside the LAN to your gateway?

talishka · Apr 22, 2020, 5:55 PM

Squid is not working at all in this firewall.

I forgot to mention, that my internal DNS for designing resasons is a stud zone replicating from the public dns, so internally i resolve 200.69.X.22 instead of 192.168.111.55, if i could have a splitted dns that would be the fix, i mean, if i use 192.168.111.55 in my lan dns, the certificate works greats, it's a direct connection without pfsense in the middle.

"are you redirecting (NAT) HTTPS traffic from inside the LAN to your gateway?" How could i check this one? I think not.. mm. Why should i do that?

Thanks for your reply.

e-1-1 · Apr 22, 2020, 6:16 PM

@talishka Great, thanks for additional info.

What I'd try, in this order:

make configuration backup, download it, have pfSense kit ready for reinstall in case of anything (best practice anytime, but critical when changing something on control plane).
if you manage you firewall from the same internal LAN, change the management port to something different than 443 (I assume your web server 192.168.111.55 listens on 443). I sometimes use 4444 for Sophos nostalgy.
make a new port forward NAT rule on inside interface, with source your inside LAN net, destination your WAN virtual IP alias (you gotta love aliases) , destination port 443, redirect target IP 192.168.111.55, redirect target port 443.

e-1-1 · Apr 22, 2020, 6:21 PM

@talishka said in Certificate problem when accessing trough WAN when using it as default gw.:

"are you redirecting (NAT) HTTPS traffic from inside the LAN to your gateway?" How could i check this one? I think not.. mm. Why should i do that?

Whoops, forgot to answer this one.

Well, if you have a NAT rule like that, all traffic sent to your public IPs will stop at the gateway (FW) and be answered by whatever listens on that port on the gateway.

You can check in Firewall->NAT all tabs if any entry looks like what I described.

Rico · Apr 22, 2020, 6:23 PM

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

-Rico

e-1-1 · Apr 22, 2020, 6:29 PM

@Rico Hi, with Method 1: NAT Reflection, in this topic's scenario, would one need to change the port used for pfSense's web management interface?

talishka · Apr 22, 2020, 6:41 PM

Thanks everyone for all the replies, i'm gonna try with Rico suggestion, it looks like that's the correct approach.