No access to services behind pfsense / nginx
-
I recently got a 'real' public IP-address from a new ISP instead of the old ISP's 1:1 forwarding (CG-NAT?)
However... I can't access internally hosted websites/services (websites, home assistant plex etc.) from WWW. I have pfsense setup and a nginx on the LAN-side (WAN > pfsense > nginx > redirect to website/service)
What I've done so far:
-
Created 80/443 portforwards from WAN > nginx in pfsense (https://imgur.com/a/aHTMmRC)
-
in pfsense system > advanced I've put "domain-name.local" (in that order) (https://imgur.com/a/KHmoDMD) (if I go to domain-name.dk:8443 I get a rebind DNS attack warning)
-
Checked "WebGUI redirect" as it interfered with port 80 portforward earlier (https://imgur.com/a/j6hNR8V)
-
In nginx each of the 3 hosted websites is redirected from the respective domain-names to port 9010, 9020 and 9030 on the webserver (https://imgur.com/a/tmtoT40)
-
I use pfsense dns resolver to resolve internal names such as nginx.domain-name.local to private IP-address (fx. homeassistant.domain-name.local > 192.168.30.2:8123)
-
The VLANS created in pfsense uses DNS 192.168.X.1 and 1.1.1.1
I have absolutely no idea why it doesn't work - in my mind the 80/443 port forward should be all I needed to do in pfsense, but apparently not. However, it worked like a charm with the previous ISP.
-
-
@jacobhjensen
You have to set the source port to any in the port forwarding rules.
The source port is normally ever dynamic, so you must not limit it. -
@viragomann that makes good sense - they've been edited to "any". However, still no access to anything from WWW :-(
-
@jacobhjensen
Ensure that the packets from the internet hit your WAN.
Sniff the traffic on WAN using the packet capture tool and check this out.
If you can see the packets also sniff the traffic on the internal interface, facing to Nginx. -
@viragomann I must say, I don't really understand why that is necessary. When I had the old ISP it all just worked as intented - and was actually quite intuitive. But now that I have a real public IP it doesn't work at all.
I just checked with the firewall rules for WAN, since I know the last "static" public IP I had was a 1:1 port forward, and there I have a port forward for OpenVPN port 1194 going from any/any to the VPN-server directly. If I disable that and put it on nginx it doesn't work, but when it's directly attached to the WAN FW rules it works.
So now I'm just wondering if it's my WAN firewall rules or maybe DNS or NAT...
WAN firewall rules can be seen here: https://imgur.com/a/HEcqGxP
-
Rules look good. Note there are bytes shown on them, they have passed traffic.
Check the state table when you are trying to connect. Do you see the expected states on WAN and LAN?
Does the server at 192.168.30.3 allow connections from external IPs?
-
@stephenw10 @viragomann Just wanted to update with the solution.
Even though I don't understand the technical stuff behind it, this was the solution in my case:
- Set a hostname in system > advanced > admin access (I set mine to domain-name.local)
- In System > Advanced > Firewall & NAT:
- set "NAT Reflection mode for port forwards" to: "Pure NAT"
- set "Enable NAT Reflection for 1:1 NAT" to checked
- set "Enable automatic outbound NAT for Reflection" to checked
Now it works correctly, but I'm still struggling to understand why/how - just in case someone smarter than me can ELI5 ;-) This also solved some other issues I had with a VPN forwarded to 1194 and a home assistant connection to port 8123.
-
How were you testing? From some internal device? That would require NAT reflection. But actual external connections would not.
