I'm missing something... trying to log into company web internally opens up firewall



  • I'm sorry for this stupid question but I'm doing a new install for my company using an SG-3100. I have it setup basic with several nat rules for company website and several other things. I can log onto our website externally with no problem but when I try to do it internally I have problems. fires I got the Potential DNS Rebind Attack Detected message. I turned off that message and i see what it's doing... It tries to log into the firewall instead of our website. Why? how do I turn this off?


  • LAYER 8 Rebel Alliance



  • Thanks for reply. I did as suggested and it no longer tries to open the GUI but it also does not log into the local website. I can still reach the website from an outside source but not internally.



  • It's acting like it can't resolve the DNS If I manually type in the public IP or the internal IP I can get to the website. I have my DNS setup from my ISP and also set to our local DNS Server. I'm not sure what pfsense setting is blocking this.



  • I can get to other services on our website like our unlock for our software (unlock.xenetech.com) but when trying to go to the main site of xenetech.com it says site can't be reached. however, I can get to it remotely or by typing in the address.

    Does anyone have an idea of why my main site address won't resolve?

    Please



  • @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    I can get to other services on our website like our unlock for our software (unlock.xenetech.com) but when trying to go to the main site of xenetech.com it says site can't be reached. however, I can get to it remotely or by typing in the address.

    Does anyone have an idea of why my main site address won't resolve?

    Please

    When you want to access internal resources from other internal resources, you use internal addresses for that. Here's what I mean.

    You have a public IP, but I'm betting perhaps your public IP is behind NAT. So you have port forwards configured into the NAT to send web requests on say ports 80 and 443 to an internal host with probably some kind RFC1918 address.

    In order to access that internal web host from other internal networks, you don't want your internal clients using your public IP address. That would require you implementing several cumbersome workarounds with NAT reflection in the firewall. You don't want to go there.

    Instead, do this. In your DNS server (hopefully you either have an internal dedicated DNS host or else you are using the DNS Resolver [unbound] in pfSense to handle DNS for your internal LAN hosts) create a host record for your company's web site and use the internal IP of the web server. That way, when an internal host tries to find say "www.mycompany.com", the DNS server will send it the internal network IP of the web server (maybe 192.168.1.10 as an example) instead of the public IP of the web server. This kind of setup is really easy to implement if you have an external DNS record hosted with an external provider. That external record will be accessed by all the folks on the Internet, but your internal LAN clients will use the local DNS record for your web site instead of the external record.



  • bmeeks,

    I already have a DNS record on our DNS server for xenetech.com. I'm replacing an older SonicWall firewall and with it connected everything works correctly. I don't have a specific DNS. Could pfsense be blocking my DNS server somehow?


  • LAYER 8 Netgate

    Everything is in the link already provided:

    https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

    You either need Split DNS or NAT reflection.

    The sonicwall probably reflected NAT by default.

    pfSense does not because it's pretty much nonsense and it's generally much better to use split DNS instead and not bounce local traffic through the firewall.



  • @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    bmeeks,

    I already have a DNS record on our DNS server for xenetech.com. I'm replacing an older SonicWall firewall and with it connected everything works correctly. I don't have a specific DNS. Could pfsense be blocking my DNS server somehow?

    Follow "Method 2 - Split DNS" in the link reposted by @Derelict. That's the method I was describing in my original post. That will solve your problem in the best manner. Split DNS is the best way to work this. You can use NAT reflection if you absolutely insist, but it's really not ideal - and as @Derelict pointed out is sort of pointless.

    You should point your internal LAN clients to pfSense for their DNS anyway. So the public clients on the Internet will still use your external DNS server and the xenetech.com record you have there when looking up the server's IP. But your internal LAN clients would ask pfSense for DNS information (and not your external DNS) and that DNS will have a record for xenetech.com that points directly to the local IP address of the web server and not your public WAN IP.

    Do some quick Google research on "Split DNS" to get a foundation in what we are talking about if the method and technique is new to you. It really is the proper method for doing these kinds of things with hosts which are available publicly and also need to be accessed by internal LAN hosts.



  • OK I will try again. Sorry to bother you guys but do appreciate the help.

    Something to chew on...

    I brought the NetGate firewall to my house because I got frustrated at work. So I cleared the static dhcp so I could just plug it into my network at the house and I got onto the internet, Google etc. So before I did a factory reset I thought I would do a traceroute to www.xenetech.com timed out. Did it to Google and it worked. Went to another computer in the house not connected to the NetGate and typed in xenetech.com and found it fine. I find it interesting that I'm not even on the same network as my webserver that is at work and when I try to go through pfsense to xenetech.com it's blocked.

    I must have something set wrong somewhere but I will follow method #2 when I get to the office.

    Let me know what you think.

    Thanks again for your help.



  • oh, forgot to add that I also tried the network address and it still timed out.
    I'm currently doing a factory reset.


  • LAYER 8 Global Moderator

    What does xenetech.com resolve too.. If you are doing split dns it should resolve to your rfc1918 address, not public wan IP.

    Where are you clients pointing to for dns - for split dns to work, the clients need to point to pfsense for dns, and pfsense has to have a host override setup for the fqdn your trying to access.



  • @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    oh, forgot to add that I also tried the network address and it still timed out.
    I'm currently doing a factory reset.

    You will not be able to properly set up and configure split DNS at your house. Your home LAN is not the same as your work network. For one thing, your company's internal web server and its IP address will not be present in your home network. And if you change the configuration and get things working in your home network, I can pretty much guarantee you that it will not work when you take the firewall back to your office and plug it in. The network addresses will be different again. You will have to perform the configuration at the office while the firewall is connected to the company network.

    No offense meant with this question, but what is your experience level with firewall administration and network design/support? It seems maybe some of this is new territory for you.



  • No offense taken at all. As you can tell I’m not an expert. I was forced to wear this “hat” many years ago and I have many “hats” I’ve been self-taught mostly out of necessity. I’ve been with the company for 33 years and we have downsized many times. My primary function is machine and software design.

    Now back to your remarks. I completely agree that it will not work correctly trying to set it up at home and then take it to the office. The reason I make my comment was to point out that I didn’t have any Split DNS or NAT reflection set when I was at the office this morning so I figured it would see Xenetech.com from the house since I’m not on my work network. I was wrong.

    Now, I’m trying to wrap my head around pfsense and how it functions. I’ve read that fresh out of the box (or factory reset in my case) if the only thing I set is DHCP then it would function just like a router. I have read this in multiple locations and have seen it in many videos. If this is the case then why can’t I see www.xenetech.com? It has to be a DNS setting or something internal that is not getting reset with the factory reset. If I do a DNS lookup it shows the correct address. If I take the NetGate out of my network I can get to it fine. I don’t understand this. before I can even try and do Split DNS or NAT reflection back at the office I have to figure this out.

    It’s almost like my original settings that may have been wrong (maybe when I set www.xenetech.com as my domain in general) the very first time it’s stuck. I can get to any other site but that one.

    I already know that Reset to factory defaults doesn’t do everything because it still keeps option 15 “Restore recent configurations” on the drive. Maybe it’s keeping something else.

    Sorry this is long.

    Regards



  • So after the "reset to factory defaults", describe once more exactly how you are putting the Netgate device into your home network. Are you removing your current router/firewall and inserting pfSense into its place (as in swapping all the cables), or are you simply connecting the Netgate appliance into the LAN side of your existing home network?

    In one of your posts above it seemed that you were just sticking the Netgate appliance onto your LAN as another LAN device. When you do that, the IP addressing will likely all have to be changed in the Netgate device. Definitely on the WAN and possibly LAN as well if that network overlaps your existing home LAN.



  • @bmeeks
    I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable Forwarder


  • LAYER 8 Global Moderator

    Does your website resolve?

    Can never get there if it doesn't resolve.. If this is hosted behind pfsense at your office then you would have had to setup port forwarding..

    If you can get to other sites, then I would assume your office site not setup correctly to allow public access to this webserver behind pfsense at your office.. So no you wouldn't be able to get to it anywhere..

    is this your site? http://www.xenetech.com/

    I can get there. it resolves to

    C:\>dig www.xenetech.com
    
    ; <<>> DiG 9.16.4 <<>> www.xenetech.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54935
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.xenetech.com.              IN      A
    
    ;; ANSWER SECTION:
    www.xenetech.com.       7155    IN      A       70.169.64.116
    
    ;; Query time: 5 msec
    ;; SERVER: 192.168.3.10#53(192.168.3.10)
    ;; WHEN: Sun Jun 28 21:02:15 Central Daylight Time 2020
    ;; MSG SIZE  rcvd: 61
    

    Is that hosted from your office with your pfsense at the office having that 70.169.64.116 on its wan?



  • @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    @bmeeks
    I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable Forwarder

    Well, if you have brought home the firewall where you had the port forwarding configured that was allowing external access to your web server, then it stands to reason that now that web server will be unreachable from the Intenet since pfSense at the office is gone. Or did I misunderstand what you meant by "I brought the NetGate firewall to my house because I got frustrated at work."?

    From your original post I assumed you hosted the web server on your office LAN and had NAT port forwarding rules configured to send HTTP and HTTPS traffic to the internal LAN IP of the web server. Did I misunderstand that?



  • @bmeeks
    Sorry, I forgot to add that I put back in our old SonicWall firewall that still works. It's an older one and is in EOL. I wanted to get the new NetGate up and going before we were down due to a hardware failure. This way if things took longer for me to get the new one set up then I could still fall back on the SonicWall and not have out company down. Good thing I did.

    I am going to try a full flash drive restore on the NetGate I received from tech support. Maybe this will fully clean the system and restore it truly back to factory specs.



  • @johnpoz
    Please note that I am no longer at the office. I have reinstalled the older working SonicWall while I find out what the issue is.

    Yes, xenetech.com does resolve as you have noted. In my home lab, I have the NetGate set to a factory reset and connected to my internal LAN. I have the WAN side on the NetGate set to DHCP and the LAN set to a standard address of 192.168.100.1 I did not set a domain nor did I set any DNS this time when I did the wizard setup. Before connecting the NetGate to my home LAN, my home laptop could resolve to my works website of www.xenetech.com with no issues. once I install the NetGate to my Home LAN, and connect my laptop to the LAN of the NetGate I can get onto the internet with no issues. I can get to google.com, homedepot.com etc. however I cannot get to my works website xenetech.com unless i type in the address of 70.169.64.116

    This leads me to believe that there is something still set internally wrong in the NetGate that did not get "reset" when I did the restore to ractory form the console.


  • LAYER 8 Global Moderator

    @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    did not get "reset" when I did the restore to ractory form the console.

    Makes no sense... if your saying it resolves.. And you can get to other internet sites.. There would be nothing in a default install of pfsense that would say - nope going to let you get to IP address 1.2.3.4, but not this site on 4.5.6.7

    And now your saying you can get there if you put in the IP.. So that points to it NOT resolving..

    In pfsense -- do a dns lookup in pfsense?

    lookup.png



  • @johnpoz
    I'll try to make it more clear. I believe the misunderstanding is because some of my messages are from when I was at my office and others are from when I am at home.

    Right now I am at home. I work from home and my normal work "office" is in Baton Rouge about 35min away. My work is currently running a Sonicwall firewall the is on its EOL. I am wanting to replace it with a new NetGate SG-3100

    I am doing all of my latest testings from home. With the NetGate not connected at home, I can open my browser, chrome, and I can connect to my works website with no problem using www.xenetech.com So it resolves correctly from my home when the netgate is not connected.

    Now, I connect up my netgate 3100 at home via a console connection and select to do a factory reset. after some time it resets and is ready to go. I then disconnect my laptop from my home network and connect it to the newly reset sg-3100. I type in 192.168.1.1 and log into the 3100 I proceed with the generic wizard setup. I select DHCP for the WAN and 192.168.100.1 for the LAN. everything else is just the defaults, no nats nothing. I then proceed to connect my home LAN to the WAN of the netgate and my laptop to the LAN of the netgate. I open chrome and I can get to any site I want to except www.xenetech.com

    Yes, you are correct. This makes no sense. I should be able to get to any site that worked before I connect the netgate. This is why I'm saying something must not be getting released/reset from my original setup try while I was at my work when I first tried to set this up on site. I went into my work a couple of weeks ago and tried to set this up. There were several places where I believe I mistakenly put in my website address when I should have only put in my domain name.
    ever since that first setup try I've had nothing but problems.

    This is why I am going to try a USB flash restore to set the box truly to factory (I hope) Now I may be mistaken and just a stupid when It comes to working with the netgate but am I wrong in assuming that I should be able to get to xenetech.com from my home when going through the netgate from a fresh setup with the WAN set to DHCP and LAN set to a basic address? Netgate not Installed I can pull up xenetech.com, netgate installed I cannot.

    I'll let you know what happens after the flash of the firmware.

    Regards,



  • @JLundberg:
    This behavior would indicate to me that perhaps there is a lingering definition somewhere in the DNS Resolver configuration on the SG-3100 that is pointing to the internal web address of your web server. I would expect the factory reset to get rid of that, but perhaps it's not doing so for some reason. Setting the domain name within the SG-3100 (and potentially within the DNS Resolver) like you did may also come into play here.

    Log into the SG-3100 web GUI and then go to DIAGNOSTICS > DNS LOOKUP and then attempt to lookup www.xenetech.com. See what the firewall comes back with, if anything. On my personal firewall, that URL resolves to 70.169.64.116.



  • @bmeeks
    The lookup always comes back fine.
    536c8af3-fb72-4f17-88f8-954e77e0fe3c-image.png

    Now get this. and this is my mistake for not trying earlier, however, I don't understand it... I tried using google again right after the lookup and it still did not go to the website. Then I tried Edge, it goes to it correctly. I can pull up my works website with Edge but not google. when the netgate is connected. If the netgate is not connected both work fine.



  • @JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:

    @bmeeks
    The lookup always comes back fine.
    536c8af3-fb72-4f17-88f8-954e77e0fe3c-image.png

    Now get this. and this is my mistake for not trying earlier, however, I don't understand it... I tried using google again right after the lookup and it still did not go to the website. Then I tried Edge, it goes to it correctly. I can pull up my works website with Edge but not google. when the netgate is connected. If the netgate is not connected both work fine.

    That really makes no sense to me. If the pfSense connection works for Edge, it should work with Chrome as the browser since pfSense itself is 100% browser agnostic.

    With pfSense in the loop, you will have double-NAT, but that should not matter to the browser at all. Could you perhaps have been staring at this problem for too long and maybe you are now overlooking something that would otherwise be obvious ???

    At this point you might want to do a packet capture on the WAN and LAN sides of the pfSense box and repeat your tests with Chrome and Edge. Compare the results. Maybe that will uncover the issue.



  • @bmeeks very good answer! Thanks,



  • @bmeeks
    I'll have to look at the packet capture to see what is going on at this point. I set everything up this morning again fresh with just the very basic default settings on the netgate box and this is what I have found. no netgate installed on my home network I can connect to my site with chrome and edge. put in the netgate and only edge will see my site. I tried to do a reinstall from the flash image and it gave me ad error not being able to read the drive. I followed the support link and used the program they suggested to image my flash drive and it did fine even it's test said it was fine. So I'm now looking for a new flash drive to retry to redo the image.

    I know you guys think I'm missing something simple because what I'm telling you just can't happen... Well if it can it will happen to me. I really can't tell you any more then what I have and I almost went through writing my last couple messages as I was doing it here at the house. I don't know how much more of a basic setup I can get. I'll shutup :-) once I'm able to get a new inage on my box to see if that has anything to do with something residule not being reset.

    But like you said, the browsers are supposed to be 100% agnostic. so something is going on here. if I can do a lookup and it comes back fine then why shouldn't both browsers act the same.

    Thank you for all your comments. I will do a packet capture and see what's going on. too weird.


Log in to reply