Redirect HTTPS trafic from Internal LAN

llinty

Hi,

I'm currently hosting severavl VM on Proxmox and I'm using pfsense as HAproxy with SSL Termination. Depending on SMI HAproxy is redirecting trafic to the right web service with only one Public IP in Front-end. On the physical host all trafic coming from WAN is redirected to pfsense on the WAN interface for NAT redirection.

All the web services are reachable from outside the infrastructure with HTTPS. So I can successfully execute :

wget https://mysite.public.domain

The SNI 'mysite' is handled by HAproxy with SSL Termination.

However the same command started from any VM located on the Internal LAN fails. How can I redirect internal LAN HTTPS trafic at the destination only of the Public IP (the frontend) to be handled by pfSense (Internal LAN -> Public IP -> pfSense HA Proxy -> Internal LAN)

Many thanks in advance for your help!

viragomann

@llinty
This should work out of the box in generally.

But some facts are required :

• The public IP is assigned to pfSense WAN directly. No NAT.
• The LAN is allowed to access the public IP.
• HAproxy is not running in transparent mode.

llinty

@viragomann Yes it should but it does not work ;-)

From the internal LAN I can access to anything in HTTPS (apt update and so on...) excepted on the web resources hosted internally. Pfsense has two interfaces 1 WAN and 1 LAN. All the external trafic is redirected to pfsense. Haproxy is not running in transparent mode. NAT is mandatory because of SSL Termination. Internal Web servcices in backend are not running on TCP/443.

I had a deep reading on NAT Reflection. It seems that it could solve this such ethernet packet loopback. I need to access external services (hosted locally) from the internal network using the external IP address.

Does anyone know how to configure it?

johnpoz

@llinty said in Redirect HTTPS trafic from Internal LAN:

I need to access external services (hosted locally) from the internal network using the external IP address.

This is simple haproxy reverse proxy with ssl offload.

This has nothing to do with nat. Moving this to the haproxy section.

If you have haproxy working from the outside with this - it should work from the inside as well. I have a site I do this with. Overseer, it does not do https, that is handled by haproxy.

viragomann

@llinty said in Redirect HTTPS trafic from Internal LAN:

All the external trafic is redirected to pfsense.

So is pfSense behind a router? Does pfSense have the public IP?

NAT is mandatory because of SSL Termination.

What has SSL termination to do with NAT?

I had a deep reading on NAT Reflection. It seems that it could solve this such ethernet packet loopback.

If pfSense is behind a NAT router you need NAT reflection on the front router.

johnpoz

@viragomann said in Redirect HTTPS trafic from Internal LAN:

If pfSense is behind a NAT router you need NAT reflection on the front router.

That for sure could cause his issue..

There is nothing special you would have to do with the reverse proxy. It doesn't care where the traffic comes from. Be it public or from the same network..

So unless your blocking, or maybe policy routing from your lan side? Off top of the head I don't recall having to do anything special for internal devices to be able to hit pfsense wan and get sent to the backend.

Other than sure if pfsense is not public on its wan, whatever does have the public IP would have to do nat reflection and send it to pfsense wan IP.

viragomann

@johnpoz
I mentioned this requirement already above, but his answer let me still assume he is behind NAT.

johnpoz

@viragomann I didn't catch that you mentioned it before - but it is a good possible reason for his troubles.

llinty

Hi @johnpoz,

thank you for your anwser! Indeed I have put my post in NAT section because I thought that NAT Reflection may solve my problem. HAproxy is perfectly doing it's job from outside but to access to web site resources trafic must go through pfsense and HAproxy to get SSL certificate and to be redirected with NAT rule depending on the requested SNI.

From internal network, I can of course get access to website resource by specifying the right local port number but for some of them HTTPS is mandatory.

johnpoz

@llinty still haven't answered the question - is pfsense wan actual public IP, or is it behind a nat router?

If pfsense wan is not public, then yes you would need to setup nat reflect on what does so traffic would get sent back to pfsense wan IP so the haproxy could send it to your backend.

if pfsense is the actual public IP, there there is nothing off the top of my head that you have to do special for either a internet client or a local client to use the proxy to get to your backend.

Other than yes the client behind pfsense would need to be able to get to the wan IP where haproxy is listening for the traffic. I have a site that is open to the public, and didn't need to do anything at all that I recall for local clients to also use it via the fqdn that resolves to my pfsense public wan IP.

llinty

@viragomann physical server is hosted by a provider so there is of course router in the frontend. As you can understand I cannot manage this equipement.

I have 1 public IP address (vmbr0 - physical ethernet card) for my physical server which is an hypervisor. Two other Linux Bridge interfaces have been declared for managing WAN (vmbr1) and LAN (vmbr2). pfSense is a virtual machine running on the hypervisor with two networks interfaces on vmbr1 and vmbr2. All the traffic going to LAN is routed to pfSense (WAN IP) through the bridged network (vmbr1). This is the post-up command executed for vmbr2 on physical server.

ip route change <lan network>/24 via <WAN IP address> dev vmbr1

HAproxy is a package installed in pfSense virtual machine. It is performing NAT from WAN (HTTPS trafic) to LAN depending on the SNI and it is providing SSL Termination. Local website are running on a different TCP port.

NAT reflection has nothing to do with SSL Termination of course. But if I take a look at the Netgate documentation " [...] NAT Reflection refers to the ability to access external services from the internal network using the external (usually public) IP address, the same as if the client were on the Internet. [...]"

So if I execute wget command from one VM on Internal LAN to one other VM running a website I need to :

(1) wget https://mysite.public.domain

In this case mysite.public.domain matches the public IP address of my host. The SNI 'mysite' is one of the backend website managed by HAProxy. It is working from outside and not from inside. However:

(2) wget http://mysite.local.domain:<local port>

This command is working from inside but I have to use the public domain (1). Split DNS is not a solution because external and internal port numbers are different.

viragomann

@llinty said in Redirect HTTPS trafic from Internal LAN:

So if I execute wget command from one VM on Internal LAN to one other VM running a website I need to :
(1) wget https://mysite.public.domain
It is working from outside and not from inside.

So when you resolve mysite.public.domain from inside your LAN, do you get the WAN IP of pfSense?

(2) wget http://mysite.local.domain:<local port>

This command is working from inside but I have to use the public domain (1).

This let me assume, that you have a DNS override configured for this host name pointing to your backed server, which would not work.

llinty

@viragomann

the dig command executed for mysite.public.domain reply with the Public IP address declared on the DNS of my provider. So there is no DNS override. pfsens does not have public IP address because it is a VM running in the Hypervisor. It only have two bridged IP Addresses WAN (vmbr1) and LAN (vmbr2) declared in the hypervisor.

This is the packet capture from wget to mysite.public.domain.

myhost.public.domain is the DNS name associated to Public IP address given by my provider.

user@test:~$ sudo tcpdump -i ens18 port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), capture size 262144 bytes
12:20:20.486731 IP test.local.domain.38836 > myhost.public.domain.ip-145-xxx-xxx.eu.https: Flags [S], seq 3524126061, win 64240, options [m ss 1460,sackOK,TS val 1981282875 ecr 0,nop,wscale 7], length 0

viragomann

@llinty said in Redirect HTTPS trafic from Internal LAN:

pfsens does not have public IP address because it is a VM running in the Hypervisor.

That's no reason for having not the public IP on pfSense.
But yeah, if you have only one and need it to be assigned to the hypervisor you have to forward traffic to pfSense.

So now, do you have access to the device, which the public IP is assigned to, maybe the VPS or is that device controlled by the provider?

llinty

@viragomann I have no way to change the current infrastructure and I do not want to. There is one Hypervisor running multiple VMs including pfSense with differen packages installed. I can fully manage the physical server and VMs with ssh and none of the other components are managed by the provider.

johnpoz

@llinty If your forwarding on your hypervisor - that is where you would have to put in the nat reflection its that simple..

Not sure how you expect the haproxy to proxy traffic it is never seeing.. Put in a host override in pfsense so you client resolves the fqdn to whatever pfsense actual wan IP is where the haproxy is listening.