• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Netcat fail accessing domain.ltd in LAN

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 3 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Frogg
    last edited by Frogg Sep 22, 2020, 5:59 PM Sep 22, 2020, 5:58 PM

    Hi,

    I am trying to make some commands works like openssl, netcat, and some others due to some tools requirement.
    But when i try thoose command i get a timeout.

    I feel like PFSense is cutting the connexion (no answer => timeout) for security reason because External IP domain doesn't match internal domain (in my configuration the same IP as multiples domains)

    When i try the command from PFsense i can have an extra message:

    DNS fwd/rev mismatch: domain.ltd != domain1.ltd
    

    Network configuration

    Untitled Diagram (1).png

    In LAN
    When i try the following command it works from "Any client"

    nc -v 192.168.1.4 443
    Connection to 192.168.1.4 443 port [tcp/https] succeeded!
    

    When i try the following commands it fails from "Any client"

    nc -v externalIP 443
    nc: connect to externalIP port 443 (tcp) failed: Connection timed out
    
    nc -v domain1.ltd 443
    nc: connect to externalIP port 443 (tcp) failed: Connection timed out
    

    Pinging domain1.ltd is working from "Any client"

    External network

    When i try the following command it works

    nc -v domain1.ltd 443
    Connection to domain1.ltd 443 port [tcp/https] succeeded!
    
    nc -v domain1.ltd 80
    Connection to domain1.ltd 80 port [tcp/http] succeeded!
    

    PFSense Configuration
    Opera Instantané_2020-09-22_192438_forum.netgate.com.png

    Opera Instantané_2020-09-22_192635_pfsense.excelliance.net.png

    Opera Instantané_2020-09-22_195143_pfsense.excelliance.net.png

    NAT Reflexion is on : Use system default

    If you have any idea on what i am doing wrong it would really help me.

    Thanks.

    PS:
    I had a topic opened there : https://forum.netgate.com/topic/156667/port-443-timeout-using-netcat-but-is-working-in-browser
    but i made a condensate of all informations here

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Sep 22, 2020, 7:30 PM

      It looks like it was mostly covered in the other thread but:

      https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

      Steve

      1 Reply Last reply Reply Quote 1
      • F
        Frogg
        last edited by Frogg Sep 22, 2020, 8:06 PM Sep 22, 2020, 7:59 PM

        thanks for the link !

        Opera Instantané_2020-09-22_215718_pfsense.excelliance.net.png

        It seems to work now (at least for netcat), i ll make some more test

        PS: I confirm all my current needs are working !

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Sep 22, 2020, 8:07 PM

          Yeah with Pure NAT mode and auto-outbound NAT you avoid asymmetry. It should work.

          Split DNS is generally considered better but if that's working for you... 😉

          Steve

          1 Reply Last reply Reply Quote 1
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Sep 22, 2020, 8:07 PM

            I went over that in the other thread - asked you multiple times your specific configuration, if you were using pure or not, etc.

            But still I don't see the point of this - there is almost never a reason to hit the wan IP to just be reflected back in, when your on the lan.. Just setup your host override to resolve domain.tld to your local IP for your tools.

            You never did answer in that other thread, it sounds like you were trying to run both dnsmasq (forwarder) and unbound (resolver) at the same time, etc.

            Glad you seem to have gotten it sorted.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            F 1 Reply Last reply Sep 22, 2020, 8:08 PM Reply Quote 1
            • F
              Frogg @johnpoz
              last edited by Frogg Sep 22, 2020, 8:11 PM Sep 22, 2020, 8:08 PM

              @johnpoz I am sorry i was busy thoose last days.
              Thanks a lot for your help too !

              The use of this :

              • multiple domains with Apache for 1 ip
              • zabbix checks
              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Sep 22, 2020, 8:11 PM

                Yeah you could run hundreds of domains via HAproxy for external access. Just setup host overrides for all your domains.. Which removes the nonsense of reflection.

                Zabbix checks - still use internal dns, and would resolve whatever fqdn you want to use to the actual local IP. Nat reflection does not validate that the source is actually working from the outside, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                F 1 Reply Last reply Sep 22, 2020, 8:17 PM Reply Quote 1
                • F
                  Frogg @johnpoz
                  last edited by Frogg Sep 22, 2020, 8:19 PM Sep 22, 2020, 8:17 PM

                  @johnpoz I didnt tried HAproxy, i tried Squid proxy but it wasn't able to do it (from official site).

                  With this config i can control easily the ssl certificats and auto renew (certbot)

                  I may be able to do the same using "more elegant ways" but i am running out of time for the subject sorry.

                  But it is interesting to see that other ways exist.

                  I ll may give a try on HA proxy next time

                  And again, i really apreciated the help i found on this forum

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Sep 22, 2020, 8:19 PM

                    Yeah HAproxy would be the way to do it, and you can do ssl offloading so all the certs are managed in HAproxy, and sure use acme to do the certs, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received