How to map LAN host to IP Alias for DNS resolution (let's encrypt)
-
hi guys,
i have a pfsense with a single WAN + about 20 IP Alias.
inbound traffic over the IP Alias's works fine using nat > port forward.
however, i'm struggling with getting LAN traffic assigned to a specific IP Alias.
issue - i'm trying to configure let's encrypt on an internal web server, but it (let's encrypt) keeps saying the IP of the host resolves to the WAN IP instead of the correct IP Alias.
question - how can i configure a LAN host to work with a specific IP Alias?
thanks.
-
@pr0xyguy I would start with turning off NAT on that IP.
-
@pr0xyguy Instead of trying to fake out certbot, I think you should determine why it's complaining and fix that problem. Try to discover what certbot is looking up and what it's getting. Your server's hostname should not be it's public name. What's the the server's hosts file? What does your DNS have to say about that server?
-
the web server on LAN = 10.0.10.15
i use external DNS (hover) which points the FQDN to 66.103.205.115 (for example) which is one of my IP Alias.
when i run certbot on the 10.0.10.15 host, it resolves the domain name i'm trying to register fine - but the return packet is going over my pfsense's primary WAN and not the IP Alias the FQDN points to.
so certbot keeps saying 'the domain xxx.com' resolves to a different IP address (the WAN and not the IP Alias).
-
@pr0xyguy Create an Outbound NAT rule so that traffic initiated by the web server appears to be coming from the VIP.
-
so, i've looked at that, but when creating the outbound > NAT rule - for 'source' i can only choose 'Network / Any / This firewall (self)'
shouldn't i set the 'source' to the LAN host IP (/.15)?
thanks for the help btw.
-
@pr0xyguy
If you want to set a rule for a single IP, select Network, enter the host IP and select a /32 mask. -
thanks brother, that worked.