Port Redirection internal vs external

tabmow · Dec 25, 2020, 5:48 PM

Hi,

I have recently setup pfSense and am having trouble getting my internal redirects to work from within the LAN network.

nextcloud.domain.com resolves to my WAN IP
I have a port redirect from 80/443 to my reverse proxy inside my lan network at 192.168.1.201
This works fine when connecting from outside of my network.

However when I connect to nextcloud.domain.com from within my lan network it just times out. Is this possible with pfSense? It used to work fine on my previous router. I'm not sure if I need some extra config or extra NAT?

Any help would be much appreciated.
Thanks,
Terry

viragomann · Dec 25, 2020, 7:38 PM

@tabmow
If you're using an internal DNS like the Resolver on pfSense, you can add a DNS override for your domain to resolve it to the internal proxy IP or directly to the webserver if you want to bypass the proxy.

Otherwise you have to go with NAT reflection. You can activate it in the NAT rule.

tabmow · Dec 25, 2020, 9:43 PM

@viragomann I did try split DNS and I got weird results. Not sure if it is a browser thing or not but I was getting redirected to a pfSense page saying there was a spoofing attack or something similar... It was odd. I'll look at NAT reflection.

Rod-It · Dec 25, 2020, 11:08 PM

You could simply use the internal IP not your proxy for internal users or enable NAT reflection on your NAT rule for your port 443/80

Are you using HA proxy as your reverse proxy, if so you need to move Pfsense off 443 for its own connection and move it elsewhere first.

If you are using AD for DNS or somethign else, point your DNS name to the Nextcloud box directly not the proxy, use the proxy for external connections, if you are using PF as your DNS, as above an override might work

tabmow · Dec 26, 2020, 8:33 AM

@rod-it Enabling NAT reflection worked. The reverse proxy is nginx and it does SSL offloading etc. for my nextcloud instance so I can't point the split DNS directly to the nextcloud instance.

I figured that it may be a problem with the web gui of pfSense listening on those ports so I may update that and then try the split DNS again later to disable NAT reflection.

Rod-It · Dec 25, 2020, 11:15 PM

I use HA Proxy on Pfsense and do SSL offloading, but i use internal DNS for internal clients, so i can point internal traffic directly to NextCloud and external traffic at HA.

I'm not sure i see a benefit to pointing everything at the proxy for internal traffic.

viragomann · Jan 1, 2021, 5:50 PM

@tabmow said in Port Redirection internal vs external:

I figured that it may be a problem with the web gui of pfSense listening on those ports

Because of this reason we have our pfSense web configurator listening to other ports then these ones which are used in NAT rules.
You can change it in the advanced settings.

tabmow · Jan 1, 2021, 5:50 PM

@viragomann I ended up switching to the pfSense haproxy module and it works a treat. Don't need those NAT rules anymore and I can remove one of my jails, win-win!

Rod-It · Jan 1, 2021, 8:41 PM

@tabmow

It's really easy to use, which is why i opted to use it myself, i also don't need another VM or Docker container running when the PfSense box can do this along with the LE certs

Do keep in mind HA only works at TCP level, so if you wanted to proxy anything non HTTPS, you might have issues