Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netcat fail accessing domain.ltd in LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Frogg
      last edited by Frogg

      Hi,

      I am trying to make some commands works like openssl, netcat, and some others due to some tools requirement.
      But when i try thoose command i get a timeout.

      I feel like PFSense is cutting the connexion (no answer => timeout) for security reason because External IP domain doesn't match internal domain (in my configuration the same IP as multiples domains)

      When i try the command from PFsense i can have an extra message:

      DNS fwd/rev mismatch: domain.ltd != domain1.ltd
      

      Network configuration

      Untitled Diagram (1).png

      In LAN
      When i try the following command it works from "Any client"

      nc -v 192.168.1.4 443
      Connection to 192.168.1.4 443 port [tcp/https] succeeded!
      

      When i try the following commands it fails from "Any client"

      nc -v externalIP 443
      nc: connect to externalIP port 443 (tcp) failed: Connection timed out
      
      nc -v domain1.ltd 443
      nc: connect to externalIP port 443 (tcp) failed: Connection timed out
      

      Pinging domain1.ltd is working from "Any client"

      External network

      When i try the following command it works

      nc -v domain1.ltd 443
      Connection to domain1.ltd 443 port [tcp/https] succeeded!
      
      nc -v domain1.ltd 80
      Connection to domain1.ltd 80 port [tcp/http] succeeded!
      

      PFSense Configuration
      Opera Instantané_2020-09-22_192438_forum.netgate.com.png

      Opera Instantané_2020-09-22_192635_pfsense.excelliance.net.png

      Opera Instantané_2020-09-22_195143_pfsense.excelliance.net.png

      NAT Reflexion is on : Use system default

      If you have any idea on what i am doing wrong it would really help me.

      Thanks.

      PS:
      I had a topic opened there : https://forum.netgate.com/topic/156667/port-443-timeout-using-netcat-but-is-working-in-browser
      but i made a condensate of all informations here

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It looks like it was mostly covered in the other thread but:

        https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

        Steve

        1 Reply Last reply Reply Quote 1
        • F
          Frogg
          last edited by Frogg

          thanks for the link !

          Opera Instantané_2020-09-22_215718_pfsense.excelliance.net.png

          It seems to work now (at least for netcat), i ll make some more test

          PS: I confirm all my current needs are working !

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yeah with Pure NAT mode and auto-outbound NAT you avoid asymmetry. It should work.

            Split DNS is generally considered better but if that's working for you... 😉

            Steve

            1 Reply Last reply Reply Quote 1
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I went over that in the other thread - asked you multiple times your specific configuration, if you were using pure or not, etc.

              But still I don't see the point of this - there is almost never a reason to hit the wan IP to just be reflected back in, when your on the lan.. Just setup your host override to resolve domain.tld to your local IP for your tools.

              You never did answer in that other thread, it sounds like you were trying to run both dnsmasq (forwarder) and unbound (resolver) at the same time, etc.

              Glad you seem to have gotten it sorted.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              F 1 Reply Last reply Reply Quote 1
              • F
                Frogg @johnpoz
                last edited by Frogg

                @johnpoz I am sorry i was busy thoose last days.
                Thanks a lot for your help too !

                The use of this :

                • multiple domains with Apache for 1 ip
                • zabbix checks
                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Yeah you could run hundreds of domains via HAproxy for external access. Just setup host overrides for all your domains.. Which removes the nonsense of reflection.

                  Zabbix checks - still use internal dns, and would resolve whatever fqdn you want to use to the actual local IP. Nat reflection does not validate that the source is actually working from the outside, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  F 1 Reply Last reply Reply Quote 1
                  • F
                    Frogg @johnpoz
                    last edited by Frogg

                    @johnpoz I didnt tried HAproxy, i tried Squid proxy but it wasn't able to do it (from official site).

                    With this config i can control easily the ssl certificats and auto renew (certbot)

                    I may be able to do the same using "more elegant ways" but i am running out of time for the subject sorry.

                    But it is interesting to see that other ways exist.

                    I ll may give a try on HA proxy next time

                    And again, i really apreciated the help i found on this forum

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Yeah HAproxy would be the way to do it, and you can do ssl offloading so all the certs are managed in HAproxy, and sure use acme to do the certs, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.