Netcat fail accessing domain.ltd in LAN

Frogg

Hi,

I am trying to make some commands works like openssl, netcat, and some others due to some tools requirement.
But when i try thoose command i get a timeout.

I feel like PFSense is cutting the connexion (no answer => timeout) for security reason because External IP domain doesn't match internal domain (in my configuration the same IP as multiples domains)

When i try the command from PFsense i can have an extra message:

DNS fwd/rev mismatch: domain.ltd != domain1.ltd

Network configuration

In LAN
When i try the following command it works from "Any client"

nc -v 192.168.1.4 443
Connection to 192.168.1.4 443 port [tcp/https] succeeded!

When i try the following commands it fails from "Any client"

nc -v externalIP 443
nc: connect to externalIP port 443 (tcp) failed: Connection timed out

nc -v domain1.ltd 443
nc: connect to externalIP port 443 (tcp) failed: Connection timed out

Pinging domain1.ltd is working from "Any client"

External network

When i try the following command it works

nc -v domain1.ltd 443
Connection to domain1.ltd 443 port [tcp/https] succeeded!

nc -v domain1.ltd 80
Connection to domain1.ltd 80 port [tcp/http] succeeded!

PFSense Configuration

NAT Reflexion is on : Use system default

If you have any idea on what i am doing wrong it would really help me.

Thanks.

PS:
I had a topic opened there : https://forum.netgate.com/topic/156667/port-443-timeout-using-netcat-but-is-working-in-browser
but i made a condensate of all informations here

stephenw10

It looks like it was mostly covered in the other thread but:

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

Steve

Frogg

thanks for the link !

It seems to work now (at least for netcat), i ll make some more test

PS: I confirm all my current needs are working !

stephenw10

Yeah with Pure NAT mode and auto-outbound NAT you avoid asymmetry. It should work.

Split DNS is generally considered better but if that's working for you...

Steve

johnpoz

I went over that in the other thread - asked you multiple times your specific configuration, if you were using pure or not, etc.

But still I don't see the point of this - there is almost never a reason to hit the wan IP to just be reflected back in, when your on the lan.. Just setup your host override to resolve domain.tld to your local IP for your tools.

You never did answer in that other thread, it sounds like you were trying to run both dnsmasq (forwarder) and unbound (resolver) at the same time, etc.

Glad you seem to have gotten it sorted.

Frogg

@johnpoz I am sorry i was busy thoose last days.
Thanks a lot for your help too !

The use of this :

• multiple domains with Apache for 1 ip
• zabbix checks

johnpoz

Yeah you could run hundreds of domains via HAproxy for external access. Just setup host overrides for all your domains.. Which removes the nonsense of reflection.

Zabbix checks - still use internal dns, and would resolve whatever fqdn you want to use to the actual local IP. Nat reflection does not validate that the source is actually working from the outside, etc.

Frogg

@johnpoz I didnt tried HAproxy, i tried Squid proxy but it wasn't able to do it (from official site).

With this config i can control easily the ssl certificats and auto renew (certbot)

I may be able to do the same using "more elegant ways" but i am running out of time for the subject sorry.

But it is interesting to see that other ways exist.

I ll may give a try on HA proxy next time

And again, i really apreciated the help i found on this forum

johnpoz

Yeah HAproxy would be the way to do it, and you can do ssl offloading so all the certs are managed in HAproxy, and sure use acme to do the certs, etc.