I'm missing something... trying to log into company web internally opens up firewall
-
I'm sorry for this stupid question but I'm doing a new install for my company using an SG-3100. I have it setup basic with several nat rules for company website and several other things. I can log onto our website externally with no problem but when I try to do it internally I have problems. fires I got the Potential DNS Rebind Attack Detected message. I turned off that message and i see what it's doing... It tries to log into the firewall instead of our website. Why? how do I turn this off?
-
https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html
-Rico
-
Thanks for reply. I did as suggested and it no longer tries to open the GUI but it also does not log into the local website. I can still reach the website from an outside source but not internally.
-
It's acting like it can't resolve the DNS If I manually type in the public IP or the internal IP I can get to the website. I have my DNS setup from my ISP and also set to our local DNS Server. I'm not sure what pfsense setting is blocking this.
-
I can get to other services on our website like our unlock for our software (unlock.xenetech.com) but when trying to go to the main site of xenetech.com it says site can't be reached. however, I can get to it remotely or by typing in the address.
Does anyone have an idea of why my main site address won't resolve?
Please
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
I can get to other services on our website like our unlock for our software (unlock.xenetech.com) but when trying to go to the main site of xenetech.com it says site can't be reached. however, I can get to it remotely or by typing in the address.
Does anyone have an idea of why my main site address won't resolve?
Please
When you want to access internal resources from other internal resources, you use internal addresses for that. Here's what I mean.
You have a public IP, but I'm betting perhaps your public IP is behind NAT. So you have port forwards configured into the NAT to send web requests on say ports 80 and 443 to an internal host with probably some kind RFC1918 address.
In order to access that internal web host from other internal networks, you don't want your internal clients using your public IP address. That would require you implementing several cumbersome workarounds with NAT reflection in the firewall. You don't want to go there.
Instead, do this. In your DNS server (hopefully you either have an internal dedicated DNS host or else you are using the DNS Resolver [unbound] in pfSense to handle DNS for your internal LAN hosts) create a host record for your company's web site and use the internal IP of the web server. That way, when an internal host tries to find say "www.mycompany.com", the DNS server will send it the internal network IP of the web server (maybe 192.168.1.10 as an example) instead of the public IP of the web server. This kind of setup is really easy to implement if you have an external DNS record hosted with an external provider. That external record will be accessed by all the folks on the Internet, but your internal LAN clients will use the local DNS record for your web site instead of the external record.
-
bmeeks,
I already have a DNS record on our DNS server for xenetech.com. I'm replacing an older SonicWall firewall and with it connected everything works correctly. I don't have a specific DNS. Could pfsense be blocking my DNS server somehow?
-
Everything is in the link already provided:
https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html
You either need Split DNS or NAT reflection.
The sonicwall probably reflected NAT by default.
pfSense does not because it's pretty much nonsense and it's generally much better to use split DNS instead and not bounce local traffic through the firewall.
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
bmeeks,
I already have a DNS record on our DNS server for xenetech.com. I'm replacing an older SonicWall firewall and with it connected everything works correctly. I don't have a specific DNS. Could pfsense be blocking my DNS server somehow?
Follow "Method 2 - Split DNS" in the link reposted by @Derelict. That's the method I was describing in my original post. That will solve your problem in the best manner. Split DNS is the best way to work this. You can use NAT reflection if you absolutely insist, but it's really not ideal - and as @Derelict pointed out is sort of pointless.
You should point your internal LAN clients to pfSense for their DNS anyway. So the public clients on the Internet will still use your external DNS server and the xenetech.com record you have there when looking up the server's IP. But your internal LAN clients would ask pfSense for DNS information (and not your external DNS) and that DNS will have a record for xenetech.com that points directly to the local IP address of the web server and not your public WAN IP.
Do some quick Google research on "Split DNS" to get a foundation in what we are talking about if the method and technique is new to you. It really is the proper method for doing these kinds of things with hosts which are available publicly and also need to be accessed by internal LAN hosts.
-
OK I will try again. Sorry to bother you guys but do appreciate the help.
Something to chew on...
I brought the NetGate firewall to my house because I got frustrated at work. So I cleared the static dhcp so I could just plug it into my network at the house and I got onto the internet, Google etc. So before I did a factory reset I thought I would do a traceroute to www.xenetech.com timed out. Did it to Google and it worked. Went to another computer in the house not connected to the NetGate and typed in xenetech.com and found it fine. I find it interesting that I'm not even on the same network as my webserver that is at work and when I try to go through pfsense to xenetech.com it's blocked.
I must have something set wrong somewhere but I will follow method #2 when I get to the office.
Let me know what you think.
Thanks again for your help.
-
oh, forgot to add that I also tried the network address and it still timed out.
I'm currently doing a factory reset. -
What does xenetech.com resolve too.. If you are doing split dns it should resolve to your rfc1918 address, not public wan IP.
Where are you clients pointing to for dns - for split dns to work, the clients need to point to pfsense for dns, and pfsense has to have a host override setup for the fqdn your trying to access.
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
oh, forgot to add that I also tried the network address and it still timed out.
I'm currently doing a factory reset.You will not be able to properly set up and configure split DNS at your house. Your home LAN is not the same as your work network. For one thing, your company's internal web server and its IP address will not be present in your home network. And if you change the configuration and get things working in your home network, I can pretty much guarantee you that it will not work when you take the firewall back to your office and plug it in. The network addresses will be different again. You will have to perform the configuration at the office while the firewall is connected to the company network.
No offense meant with this question, but what is your experience level with firewall administration and network design/support? It seems maybe some of this is new territory for you.
-
No offense taken at all. As you can tell I’m not an expert. I was forced to wear this “hat” many years ago and I have many “hats” I’ve been self-taught mostly out of necessity. I’ve been with the company for 33 years and we have downsized many times. My primary function is machine and software design.
Now back to your remarks. I completely agree that it will not work correctly trying to set it up at home and then take it to the office. The reason I make my comment was to point out that I didn’t have any Split DNS or NAT reflection set when I was at the office this morning so I figured it would see Xenetech.com from the house since I’m not on my work network. I was wrong.
Now, I’m trying to wrap my head around pfsense and how it functions. I’ve read that fresh out of the box (or factory reset in my case) if the only thing I set is DHCP then it would function just like a router. I have read this in multiple locations and have seen it in many videos. If this is the case then why can’t I see www.xenetech.com? It has to be a DNS setting or something internal that is not getting reset with the factory reset. If I do a DNS lookup it shows the correct address. If I take the NetGate out of my network I can get to it fine. I don’t understand this. before I can even try and do Split DNS or NAT reflection back at the office I have to figure this out.
It’s almost like my original settings that may have been wrong (maybe when I set www.xenetech.com as my domain in general) the very first time it’s stuck. I can get to any other site but that one.
I already know that Reset to factory defaults doesn’t do everything because it still keeps option 15 “Restore recent configurations” on the drive. Maybe it’s keeping something else.
Sorry this is long.
Regards
-
So after the "reset to factory defaults", describe once more exactly how you are putting the Netgate device into your home network. Are you removing your current router/firewall and inserting pfSense into its place (as in swapping all the cables), or are you simply connecting the Netgate appliance into the LAN side of your existing home network?
In one of your posts above it seemed that you were just sticking the Netgate appliance onto your LAN as another LAN device. When you do that, the IP addressing will likely all have to be changed in the Netgate device. Definitely on the WAN and possibly LAN as well if that network overlaps your existing home LAN.
-
@bmeeks
I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable Forwarder -
Does your website resolve?
Can never get there if it doesn't resolve.. If this is hosted behind pfsense at your office then you would have had to setup port forwarding..
If you can get to other sites, then I would assume your office site not setup correctly to allow public access to this webserver behind pfsense at your office.. So no you wouldn't be able to get to it anywhere..
is this your site? http://www.xenetech.com/
I can get there. it resolves to
C:\>dig www.xenetech.com ; <<>> DiG 9.16.4 <<>> www.xenetech.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54935 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.xenetech.com. IN A ;; ANSWER SECTION: www.xenetech.com. 7155 IN A 70.169.64.116 ;; Query time: 5 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sun Jun 28 21:02:15 Central Daylight Time 2020 ;; MSG SIZE rcvd: 61
Is that hosted from your office with your pfsense at the office having that 70.169.64.116 on its wan?
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
@bmeeks
I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable ForwarderWell, if you have brought home the firewall where you had the port forwarding configured that was allowing external access to your web server, then it stands to reason that now that web server will be unreachable from the Intenet since pfSense at the office is gone. Or did I misunderstand what you meant by "I brought the NetGate firewall to my house because I got frustrated at work."?
From your original post I assumed you hosted the web server on your office LAN and had NAT port forwarding rules configured to send HTTP and HTTPS traffic to the internal LAN IP of the web server. Did I misunderstand that?
-
@bmeeks
Sorry, I forgot to add that I put back in our old SonicWall firewall that still works. It's an older one and is in EOL. I wanted to get the new NetGate up and going before we were down due to a hardware failure. This way if things took longer for me to get the new one set up then I could still fall back on the SonicWall and not have out company down. Good thing I did.I am going to try a full flash drive restore on the NetGate I received from tech support. Maybe this will fully clean the system and restore it truly back to factory specs.
-
@johnpoz
Please note that I am no longer at the office. I have reinstalled the older working SonicWall while I find out what the issue is.Yes, xenetech.com does resolve as you have noted. In my home lab, I have the NetGate set to a factory reset and connected to my internal LAN. I have the WAN side on the NetGate set to DHCP and the LAN set to a standard address of 192.168.100.1 I did not set a domain nor did I set any DNS this time when I did the wizard setup. Before connecting the NetGate to my home LAN, my home laptop could resolve to my works website of www.xenetech.com with no issues. once I install the NetGate to my Home LAN, and connect my laptop to the LAN of the NetGate I can get onto the internet with no issues. I can get to google.com, homedepot.com etc. however I cannot get to my works website xenetech.com unless i type in the address of 70.169.64.116
This leads me to believe that there is something still set internally wrong in the NetGate that did not get "reset" when I did the restore to ractory form the console.