HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https

ducati57 · Oct 13, 2023, 4:31 PM

Here are the basic DNS on Pfsense.

I will make the modifications as you detailed previously and post a screenshot.

johnpoz · Oct 13, 2023, 4:29 PM

@ducati57 yeah - you already stated that.. Not sure what else you want me to say? Out of the box unbound doesn't even use those.. Unless you specifically setup unbound to forward.

And it doesn't matter what pfsense does be it resolve for forward.. If your client, ie some pc on your network is asking pfsense for dns.. And you setup a host override then that is the new iP that would be handed to the client for the fqdn it asked for.

If your pc is using say 8.8.8.8 or any of those you listed for dns directly - then no a host override wouldn't work, because the client is never asking pfsense to resolve anything anyway.

ducati57 · Oct 13, 2023, 4:32 PM

@johnpoz

So here is the modification to be made, directly on the LAN/DHCP server?

johnpoz · Oct 13, 2023, 4:35 PM

@ducati57 You don't need to put anything in there..

Out of the box pfsense will ask itself (unbound) for dns - which resolves..

You only need to put those in - if you want pfsense to use them, or you want to forward to them from unbound, etc. I have zero use for any external dns provider since I just let unbound resolve, as it does by default anyway..

ducati57 · Oct 13, 2023, 4:46 PM

@johnpoz Ok, thanks for your patience :)

I just modified it as indicated in your comment.=>

johnpoz · Oct 13, 2023, 4:47 PM

@ducati57 If that is pfsense IP, why would you set that and not just use loopback? Which is does all on its own..

ducati57 · Oct 13, 2023, 4:55 PM

@johnpoz

If I do not indicate anything, and I configure Pfsense identical to your screenshot, here is the result
(KO update status because no external access because no DNS?)

johnpoz · Oct 13, 2023, 5:05 PM

@ducati57 did you modify unbound settings?

By default its ALL, did you change it and not include localhost?

Is unbound running even?

ducati57 · Oct 13, 2023, 6:05 PM

@johnpoz

Here is the configuration of the different elements / services do you see an error? (security problem, loop, bug, useless,etc..)

johnpoz · Oct 13, 2023, 8:00 PM

@ducati57 well I see one thing that I personally would not do.. If your going to set the specific interfaces that unbound listens on, why would you click on wan.. Do you have devices that would be using the dns via its wan IP?

Your saying with those settings it does not populate 127.0.0.1 in the system tab for dns? If you do not put anything in the dns tab?

Here I just fired up my 2.7 box.. Its pretty much default out of the box.. Other than changing its lan to other than the default 192.168.1.1

I then changed from all, to just lan and got this error

So I selected localhost along with just lan and it worked and system still shows dns as loopback 127.0.0.1

ducati57 · Oct 14, 2023, 7:41 AM

@johnpoz
Good morning,

I just made the modification, it's gone.

However still no local LAN access via HTTPS from an external url

johnpoz · Oct 14, 2023, 4:38 PM

@ducati57 said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

However still no local LAN access via HTTPS from an external url

did you create you host overrides??

Are you clients pointing to pfsense for dns?

Do a simple dns query from a client - did it resolve your fqdn to pfsense wan IP? Vs the public.. Maybe your browser is using doh for dns? Vs pointing to pfsense IP for it.

ducati57 · Oct 14, 2023, 4:42 PM

@johnpoz Yes, here is the conf for "Host Overrides"

Yes, here is my PC (wifi) where it is visible in DNS (Pfsense) in 192.168.1.1

johnpoz · Oct 14, 2023, 4:48 PM

@ducati57 so your nslookup for dom.namedomaine.ovh returns 192.168.1.21

do your nslookup dom.namedomaine.ovh

What does it reply with - if that works and your still going to the public in your browser - you sure your browser isn't using doh vs your local dns.

And that is not the right override anyway - if you want it to bounce off pfsense wan IP running haproxy, then it should be to pfsense wan IP.. Not the actual host IP the site is running on.

ducati57 · Oct 14, 2023, 5:09 PM

@johnpoz said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

do your nslookup dom.namedomaine.ovh

A test from my laptop :

A direct test of the VM on my ESXI :

johnpoz · Oct 14, 2023, 5:22 PM

@ducati57 then it should be hitting your haproxy - look in the haproxy logs.. Do you have some rule on pfsense lan that would prevent that? Like are you doing policy routing.

Also again is your browser using doh.. Many browsers love to default that with no mention of it to the user..

Look in your browsers dns cache to validate it resolved to your wan IP where haproxy is listening..

For example in firefox you can go here to view the cache
about:networking#dns

ducati57 · Oct 14, 2023, 5:40 PM

@johnpoz

Pour cette section je peux laisser ainsi ou dois-je mettre LAN et localhost ?

I just rebooted Pfsense, cleaned the browser caches on my phone and laptop, as well as a reboot.
I can now connect locally via the external address! :)
Thanks a lot for the help !!

Concerning the 2nd subject with my Dahua VMS (NVR) also any idea?

johnpoz · Oct 14, 2023, 5:41 PM

@ducati57 said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

Concerning the 2nd subject with my Dahua VMS (NVR) also any idea?

I don't know what that is - or how it suppose to work. You want to run that through your haproxy as well? If its not truely https then haproxy might not work but you could use tcp mode in haproxy maybe?

Does that work if you turn off the rfc1918 block like you were doing before with these other vms?

ducati57 · Oct 14, 2023, 9:39 PM

@johnpoz
Last question regarding problem 1, could you confirm that I do not have to make any modifications to this issue in the DNS RESOLVER?

==================

Concerning problem 2, this is a VM dedicated to recording video streams from different cameras.
The VM uses a logger which broadcasts via port 37777.

It is possible to connect to the recorder (VM) via an application uses IP or URL, Port, login, password.

And yes I want to encapsulate the service (port37777) in https ideally.
So I'm thinking of testing TCP in HA proxy....

johnpoz · Oct 14, 2023, 9:44 PM

@ducati57 to your ALL for outgoing - this is just the default. You prob have no use for your other interfaces for "outgoing" Do you have other downstream DNS that is only available via your lan side interfaces?? That you want to do say a domain override with?

I have my outgoing set to localhost.. This can remove some issues where unbound trying to bind to interfaces like a vpn or other interface that might not be up when unbound starts.

While "all" is a good default setting to make sure it just works.. If your looking to tweak your settings and get specific setup for your specific network needs.. You could adjust for your needs.

This is my setup

But your "needs" or wants might be different for your specific network.