what do i need to setup to direct different domain names to IPs on my network

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

do you know if pfsense will ever have that option...

As mentioned above, you have that option if you install the HAProxy package. HAProxy is capable to handle HTTP(S) requests and parse the host-headers to different internal webservers.
Without that, pfSense operates on layer 3, so you only can redirect IP adresses and ports.

Since you use a dynamic DNS service, I assume you have only one public IP. If you have layer 3 capabilities only, you can only direct one IP/port combination to only one server.
So if you run a webserver inside your network and forward port 80 and 443 from your public IP to it, there is no possibility to access an additional internal webserver on these ports from outside.
That's why without a Reverse Proxy you have to use an additional port like 3000 for accessing the Rocketchat.

comet424

@viragomann so i setup haproxy to
https://blog.devita.co/pfsense-to-proxy-traffic-for-websites-using-pfsense/#step2configurehaproxy
that article but not able to get it to work.. i set it up to also point to my webserver on my network
so it be 192.168.0.30 port 80 and it cant resolve www.example.com as the web address. i can ping my www.example.com and it pings the pfsense router but its not forwarding my requests.. i deleted the Port Forward 3000 and 80 to the specific IP address' but i something is blocking requests i guess
i tried checking the firewall logs but it doesnt even show port 80 or 3000 being asked for or checked etc
i just didnt do the certificates and as i not using SSL

is there a better step by step.. and possibly why my port forwarding has stopped forwarding it seems..

comet424

not sure if it helps
but my unraid with the rocketchat is behind my VPN not sure if that matters 192.168.0.3:3000
my webserver is set outside of my VPN on my WAN connection 192.168.0.30 and hosts 5 different website domain names www.test1.com www.test2.com etc as example.

cant access any 5 of the websites to work.. traffic seems to be blocked.. but internal access and internet seems to be working .. so im sure i got something misconfigured but i not sure where to look

viragomann

@comet424
Configuring HAProxy is a bit more complicated than a simple prot forwarding. With these view infos you give its not possible to say if you did it right.

Appart from the proxy settings, you have to consider, that HAProxy is a webserver and client. Si if you are running it, the proxy has to recieve requests from outside, send request to the backend webserver, recieve responses from them and send responses to the client.
This can only work, if you remove the portforwardings to the webservers and allow access to the pfSense itself on port 80 (+443 for HTTPS).

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but my unraid with the rocketchat is behind my VPN not sure if that matters 192.168.0.3:3000
my webserver is set outside of my VPN on my WAN connection

What do you mean with "outside VPN" and "behind VPN"?
All internal servers may be behind pfSense. If you run VPN on it, they are behind VPN.

comet424

@viragomann ok sorry my dislexia it sounds good in my head but i dont explain it right at times for others to know..
1.. i mean with the HAproxy disabled or uninstalled.. Port forwarding seems to be broken anyways its not forwarding ports it used to Port Forward Por 80 to my Windows VM that handled 5 different Websites... but it no longer is working last time i check was 2 3 months ago so it worked then... so not sure what i done in the mean to or miss configured Port forwarding will not work.. i only realized there was a problem when i can do 192.168.0.3:3000 but cant do <ip address>:3000 it wont go through and i followed the instrutions in that link so dont have a better step by step.. ..

2.. what i mean is IP address 192.168.0.1- to 29 and 192.168.0.50 to 255 Fall behind NordVPN (Behind VPN) .... IP Address 192.168.0.30 to 49 Fall Behind (WAN Connection) aka Outside of the VPN (not behind the VPN)

i also tried the using my cell phone no wifi using my cell tower internet and it couldnt access it..

i also tried disabling haproxing left my Port forwarding (NAT/Rules) setup and i looked at my Forwarded WAN Rules when i tried to access my websites normally like i had.. and i get maybe 80 bytes after trying multiple times but System Logs show nothing behing accessed on port 80...

so i think somewhere in my setup i must have miss configured something... that has disabled the Port Forwarding and/or haproxy.... not sure where i even look... everything works i on my network it just seems port forwarding and the haproxy ports etc is blocked.... and im sure its probably a wrong Check box checked..

i just hoping i dont need to do a reset and start over lol...
would you happen to know if there is a way to see if pfsense finds any conflicts or tests likes a self diagnostic.. like Unraid there is option to find Common Fixs finds common mistakes you may have done by accident... doesn pfsense have something like that...

also like in unraid you can send a diagnostic file and others can look and see where you went wrong.. if i send the pfsense config file.. can you see what i have set wrong

sorry if i made my explaination worse, sounds ok in my head

viragomann

@comet424
Are you able to access your webservers from within your LAN?
If so, by the internal IP or by the hostname? If hostname, do you have split-DNS (DNS overrides) or do you use NAT reflection?

At first you have to get access to your servers to work from internal, then you can go about portforwarding or proxying.

The same applies to Rocketchat.
You say, you have it on 192.168.0.3:3000. That's the unraid IP as you mentioned. So do you have a port forwarding set up on unraid?

The VPN routing you mentioned only affects outbound traffic from the appropriate IPs.

It's not a good idea to post your config file on a public forum. It includes secrets. You may post screenshots of your settings pages and cutouts of your log files (/var/log/). Public IPs should be hidden.
On pfSense we use Packet Capture from the Diagnostic menu to investigate the traffic flow.

comet424

@viragomann
ill have to get back to you on all those some kinda confuse me.. im a visual learner not as much a reader.

but to try to answer your questions about my things
the Websites i have never been able to access all of them from the localhost just it always picked the first one
so my webserver is 192.168.0.30
now it runs windows server running IIS and i have
www.test.com
www.test2.com
www.test3.com
as examples..
so in the past i was able to Port Forward my 80 to the 192.168.0.30 and then Windows determined which website it works..
if i do on my local network 192.168.0.30 she will pick the first website running so that works
if i try <wan ip address>:80 doesnt connect
it used to work in the past but when i alter something i never thought of checking my webservers if still working.. so thats why maybe i checked off a box i shouldnt have reason why the port forwarding or the haproxy isnt working.. probably when i set up the vpn i not totaly sure..

with the 192.168.0.3:3000 yes works on the internal network goes right to the page... but doing <Wan ipaddress>:3000 doesnt work even through cell on a cell internet not the wifi

ah ok so pfsense doesnt offer like unraid a anonoymous diagnostic logs where it hides all the important data but exports data so other users can help you fix it.. but doesnt show any passwords etc..

so ill have to learn that packet capture.. etc.. i dont use the pfsense every day i use it because it had features i needed that my asus router didnt have.. so pfsense did what i needed.. so i not smart at it and i set it up and forget it.. not one that access's every day like all these professionals.. do like this program.. but sometimes its over my head at times least with a learning disiability and certain words i dont understand but then again i not working with this everyday

but enough of my issues you dont wanna hear..

what screen shots do you need to see that could be causing the port forwarding issues or the haproxy issue.. i googled and it linked me to
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging.

i tried checking each one but some didnt apply and i think i checked them all and that didnt apply to fix my issues ..

but ya if you can tell me what screen shots you specificy need to see my mistakes.. so i can get things up and running again

and i appreciate you taking the time in helping me.. i very appreciative

comet424

@viragomann so i been fiddling no luck.. what screen shots would you need?
also i noticed i get an error if i type my www.example.com
i get error
503 Service Unavailable
No server is available to handle this request.

but if i type 192.168.0.30 (webserver) it works just fine picks off the first website in the list of 5... so is pfsense blocking it.. i tried to google it but i not finding what i need.. and still havent gotted the www.example.com:3000 to or the haproxy to work yet something is blocking it in here

comet424

@viragomann so here are some screen shots of my rules and nat
what other settings would you need to see to see whats wrong ![nat portforward.PNG](

comet424

i did a packet capture..
clicked Stop
enterd host 192.168.0.30 (webserver)
entered port 80

and click Start
tried going to my one website... and just got page cant be found really.. i stopped the capture
to view but shows up blank

viragomann

Still not clear, what you're trying to implement now, port forwarding or the haproxy? Please, declare at first.
There is no way to help if I don't know what you're trying to achieve.
If you can go with accessing the Rocketchat on port 3000 I'd do portforwarding, since it is easier to realize.

Also give some details about you network.
The LAN is 192.168.0.0/24?

comet424

Both...
sorry explaining wrong.. i gave up on HAproxy.. because i said Port Forwarding no longer works and asked whats setup wrong..
because i mentioned my VPN, outside of the VPN, i mention my Webservers no longer work. i mentioned trying to use the HAProxy i get 503 error..
but ill try again

1st i wanted port 3000 to work but like i mentioned Port Forwarding is broken.. I send you link of the like 13 steps to follow to fix Port Forwarding.. non help and most didnt apply to me.. so reason you said you need settings,, reason i sent the photos of my Rules and Nats to see where its set wrong..

2nd.. Port Forwarding is broken for Port 80 its like being blocked or so

3rd That Packet Capture doesn work shows up blank

4th
my network i mentioned above but is
192.168.0.1-30 (VPN)
192.168.0.31-49 (WAN)
192.168.0.50-255 (VPN)
192.168.10.x (Camera network) (not setup yet)
192.168.20.x (Guest Network) (n0t setup yet)

but overall like i mentioned from trying to get rocketchat to work.. Port Forwarding no longer works for Windows Server for Port 80 and i trying to get Port 80 to forward to 192.168.0.30....
i dont know what is blocking it

i have also changed in dhcp server
so 192.168.0.30 no longer uses the DNS servers of my vpn but just 192.168.0.1 for my Webserver
i removed the DHCP of everyone from my VPN servers to 192.168.0.3

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots
Port Forward 80 goes to 192.168.0.30 and on the Same screen shot you see i have it setup Port Forward 3000 goes to 191.168.0.3.. And neither is work. Port forwarding is broken and i been googling past week trying to watch videos etc.. what is checked off/on that broke port forwarding.. or if because i have a VPN

so i just dont know where to look anymore i keep trying a setting see if it works or not..

Rocket Chat Works Local Network Not WAN
Webserver Works Local Network Not WAN

i mentioned i followed
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging

and these did not help me.. reason i said i must have something configured wrong that is conflicting nd broke port forward

im gonna try later today a fresh clean install of pfsense setup the port forward 80 and 3000 and using fresh install to see if it works.. as i no longer know where to look so i hoping that will fix things

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

Both...

You cannot do both.
If you want to run haproxy, you have to disable the portforwarding and set or edit your WAN rules to allow the access.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

i mentioned trying to use the HAProxy i get 503 error..

No. You mentioned the error, but not that it happened with haproxy.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

I send you link of the like 13 steps to follow to fix Port Forwarding..

?

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

2nd.. Port Forwarding is broken for Port 80 its like being blocked or so

So you may troubleshoot it or not?

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

3rd That Packet Capture doesn work shows up blank

Without an info to the interface the capture was taken that statement is useless.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

but ya i trying to get the 5 webservers and Rocket chat to work and like i mentioned i only found out Webservers are not port forwarded because i couldnt get Rocket Chat to Port Forward.. as you see in the screen shots

Your screenshots don't show any portfrowarding.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

Port Forward 80 goes to 192.168.0.30 and on the Same screen shot you see i have it setup Port Forward 3000 goes to 191.168.0.3.

These are firewall rules!

Portforwarding is done in Firewall > NAT > Port forward.

comet424

1.. some reason the the forum lost the picture.. Portforward was uploaded with OutBound NAT but ill add it to the end

2. when i said both.. I was stating i try to get both to work... i dont need to run both same time. but HAproxy is non functional. Port Forward is non functional is what i ment... i need the Port Forarding of Port 80 up and running my websites been down apparently months
   .
3. the 503 error figured you knew was from the HAproxy.. as that error doesnt show up if you dont have haproxy setup.. figured you probably altready knew it.. as i trying to try all settings turning things on and off ...

4, you did the "?" for the 13 steps i said i did and i send you the link.. but its 15 steps. here it is again
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html#:~:text=If%20problems%20are%20encountered%20while,%C2%AE%20software%2C%20try%20the%20following.&text=Always%20test%20port%20forwards%20from,NAT%20entry%20and%20enable%20logging

5,, yes i been trying to trouble Shoot Port 80 for a week since your last reply.. still no luck.. from a cell or remote computer can not Forward Port 80 for my webserver.. interal IP still works external doesnt.. i was able to get traffic to finally show up on the WAN firewall rule not sure what fix got it to do it.. but it still cant process the website.. I did get rocket chat to work 20 min ago kinda outside of the network.. it finally showed up saying Rocket chat.. but firefox keeps saying "gah tab crashed" so i not sure if its truly working or not....

6. Capture Pack.. not sure what you mean the info to the interface.. default is WAN i entered the IP and port but the START and STOP didnt record anything

here is the screen shot of Capture Packet and the NAT Forwarding that was uploaded other day

sorry if i lousy explainer.. sounds all clear when i write it..

viragomann

Ok, so let's go with port forwarding.
And try to troubleshoot one by one.
For your webserver you have a mistake in the port forwarding rule. The destination has to be WAN address.

You say, you are able to acces the webserver from internal network by simply entering 192.168.0.30 in a webbrowser. Does it also work from another subnet?

Is so try to access it from the internet by entering your WAN address into the browser.
If that doesn't work, take a packet capture on WAN and only filter the port 80. In the screenshot you have filtered for the internal IP, so it's normal that you don't see any packet.

comet424

ah ok . so change the LAN address to WAN Address? how come i thought i needed to port forward to LAN address of 192.168.0.30.. it used to be WAN orginally but since i been trying to trouble shoot and figure where things when wrong...

i have not tried another subnet.. only because Guestnetwork and Cameras is setup for future when i get guests and cameras
but i have a dedicated OpenVPN connection to my sisters house her ip is 192.168.1.x i setup
if i type in a FireFox on that network and type 192.168.0.30 websserver .. i get a 404 error.. doing 192.168.0.3:3000 gets me the rocketchat website on my network

if i try accessing my webserver address from my local network (192.168.0.x).. so www.example.com i get this error
"Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname." keeps loading up the pfsense doesnt want to goto webserver

so hope that helps so far. in finding my mistakes

if i do www.example.com on my 192.168.1.x firefox i seem to get the website to work.. but not by IP address i also decided to reinstall a new VM of windows and post my websites on tehre so i only have 1 website out of my 5 setup.. just to test if maybe was my vm that failed.. as i dont know why things went wrong.. plus you never know right its windows always needs updating lol

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

if i type in a FireFox on that network and type 192.168.0.30 websserver .. i get a 404 error.. doing 192.168.0.3:3000 gets me the rocketchat website on my network

So you know, both server are responing to access from outsider your LAN.

If you want to access your websites by their hostnames from within your network you should either

• set up DNS overrides or
• configure DNS reflection

DNS override is the more reliable solution. Assuming pfSense provides DNS in your network and you run DNS Resolver, go to the Resolver settings and add the needed overrides there.

comet424

i guess i have pfsense doing DNS?

i set like the webserver use 192.168.0.1 as the DNS
i set WAN's DNS to either 192.168.0.1 or the 1.1.1.1 ad 1.0.0.1 apparently they advertise in videos etc to change your dns to 1.1.1.1 its faster
and on my DHCP behind my NordVPN i set the DNS to the 2 servers they offer but then i changed it to 192.168.0.1 as the 2 dns servers i also have in the General Setup.. so which setups should i keep ... could any of that be conflicting.. as i never really checked everything after each change i did... and does the DNS override dns reflection cause the behind VPN to leak... as i plan to add cameras on my network and be behind the VPN and dont want the cameras to leak out that could be caught by hackers

ill take a look at it this afternoon.. and try the overide or the dns reflection

oh and yes i run DNS Resolver in my network but my outgoing NEtwork connections are my VPN if i add it to WAN then it leaks my dns, so no longer secure.. under the dnsleaktest and ipleak... in the orrides do you know what i need to add.. i not at hope to check it right now..

and thank you for the help so far.. i appreciate it.. as i been banging my head why nothing working right... must been when i had to readd my vpn as websites and port forward worked when i didnt setup a VPN

oh and does it matter i have 2 vpns .. 1 is for the network a subscription and the other is openvpn i have connected from my house to my sisters house to connect her pfsense with my pfsense... constant connecton would any of that conflict too

viragomann

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

on my DHCP behind my NordVPN i set the DNS to the 2 servers they offer but then i changed it to 192.168.0.1 as the 2 dns servers i also have in the General Setup.. so which setups should i keep ... could any of that be conflicting.

No, the DNS client tries the first in the list, if that one doesn't response it tries the next and so on.
So if 1.1.1.1 is the first entry, another one is only requested if this fails.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

and does the DNS override dns reflection cause the behind VPN to leak.

No.
DNS leak means that DNS requests are sent out to the WAN gateway while other traffic is directed over a VPN.
That can be prohibited by set the Resolver to use the VPN connection for requests as you did already.

DNS override means that pfSense resolves the overridden hostnames itself. Requests for these hostnames are never sent out.

@comet424 said in what do i need to setup to direct different domain names to IPs on my network:

oh and does it matter i have 2 vpns .. 1 is for the network a subscription and the other is openvpn i have connected from my house to my sisters house to connect her pfsense with my pfsense... constant connecton would any of that conflict too

No. I guess your sister doesn't use your DNS server.

comet424

i didnt get really get to test it yet as my sisters internet went down
but i did setup Host Override and did www.example.com 192.168.0.30@80
and same for the @3000
my question is how come the port forward doesnt normally work like it used to but need to add this.. is it because i have a VPN setup? and not just the basic WAN

2.. so if 1.1.1.1 if is in my first entry what i ment is what should the network properly be configured for... should the proper way be 1.1.1.1 or should it be using 192.168.0.1 as the DNS... the only reason i left the 192.168.0.1 is i seen how cloudflare and Linus Tech tips said switch to 1.1.1.1 you will find your internet to speed up better as my internet only 5mbps download/500k upload.. so i tried to maximize it completely
so i have mix of 192.168.0.1, blank, 1.1.1.1, and 103. as i was experimenting but never knew which one to keep and wasnt sure if anything leaks as i had to figure that one out i was having leaking issues

2nd the resolver can you explain it better for me the dumb guy.. when you say "that it can be prohibited by set the resolver to use VPN connected .." like i know from NordVPN you need to Select Out Going network as VPN ones and when i played with adding WAN in the past to try to get my websites to work as i wanted WAN connection to handle it like it did before i setup a VPN.. thats when i found it was leaking DNS..

so does the Host Override mean that when Outgoing Network is set to your VPN... the host override handles domain names to go over the WAN connection to the designated ip on the network.. like its own secret Passcode backdoor... sorry if i confused things up sounds ok in my head . i mean like override means that it allows access when the Outhgoing Network is set to VPN and not WAN

ya my sisters dns is her own.. 192.168.1.x i only have a Open VPN connection between her and i.. and use the same VPN subscription and i do the remote maintance as she lives 2.5 hours away from me.. so i keep it open to fix etc

thank you for help so far.. and ill see if the host override will work once her internet is back as she been experiencing issues