Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out)
-
I have followed (many) tutorials to successfully get SSL cert using ACME/LE. => Green Success.
Selected new cert in System | Advanced | Admin Access | SSL/TLS Certificate
Cert name matches General | Setup | System | Hostname/domain
The domain for the cert is with external domain registrar, but has no public IP record (as desired, but is this OK?)I can ping pfsense.mydomain.me (not the actual domain) and get immediate response.
Traceroute correctly identifies the internal IP address (although reports LAN1 interface IP even though I am accessing via LAN2 Interface)
I am using non-standard webgui port. Port testing; pfsense.mydomain.me:myGUIport => Port test to host: successful
Can access using IP:mywebGUIport - but get unsafe message still (expected)Yet using pfsense.mydomain.me in browser it just times out. :( "This site can’t be reached took too long to respond"
I have enabled DNS resolver in an attempt to look locally instead of registrar (not sure if this is a valid solution step).
Every time I see how to setup the final step is, "... and now you will be able to access using your domain.)" - seems so easy.
I feel I must be overlooking something relatively simple. e.g. I don't have valid rules, need to setup reverse proxy or properly setup DNS resolver.Any trouble shooting clues appreciated.
-
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
Yet using pfsense.mydomain.me in browser it just times out. :( "This site can’t be reached took too long to respond"
Your browser prob using doh, ie not asking your internal dns for pfsense.mydomain.me, like you said
but has no public IP record
If your machine/browser was using local dns, then it would resolve to the IP you have in your local dns, when you ping..
Or example..
$ ping sg4860.home.arpa Pinging sg4860.home.arpa [192.168.9.253] with 32 bytes of data: Reply from 192.168.9.253: bytes=32 time<1ms TTL=64 Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
But if you ask some public dns for that, ie browser using doh (dns over https) then no your not going to get an answer, or you would just get SOA, etc.
$ dig @8.8.8.8 sg4860.home.arpa ; <<>> DiG 9.16.49 <<>> @8.8.8.8 sg4860.home.arpa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57642 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 23 (Network Error): ([192.175.48.42] rcode=REFUSED for sg4860.home.arpa/a) ; EDE: 23 (Network Error): ([192.175.48.6] rcode=REFUSED for sg4860.home.arpa/a) ; EDE: 22 (No Reachable Authority): (At delegation home.arpa for sg4860.home.arpa/a) ;; QUESTION SECTION: ;sg4860.home.arpa. IN A ;; Query time: 103 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Mar 23 05:41:10 Central Daylight Time 2024 ;; MSG SIZE rcvd: 212
-
Ahh, thanks @johnpoz.
I see.
I get similar DiG responses, but for external I get an answer:
;; ANSWER SECTION:
pfsense.mydomain.me. 3600 IN CNAME mydomain.me.
mydomain.me. 600 IN A 3.33.xxx.xxx
mydomain.me. 600 IN A 15.197.xxx.xxx;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sat Mar 23 21:59:48 AEST 2024
;; MSG SIZE rcvd: 90I'm guessing; these are registrar related IP addresses but they are showing up as amazon accelerator. So my URL finds the registrar (or part way there) but there is no record pointing back (by my design), so the browser never gets a response.
Are my options to:
- Supply a public IP and then external DNS will resolve (to limit exposure, I didn't want to do this ).
Domain forward at registrar would be same as adding public IP - yeah? - Setup internal intermediate CA and make a self signed cert and accept as trusted in each browser accessing the system. (yuk! definitely don't want to do this, if I can avoid it)
- Something better than 1 or 2. ;)
I tried setting internal DNS in Browser, and added internal firewall IP to DNS list for Operating System Network settings. Neither helped at all.
I think I understand what is happening now (thank you), but don't have the knowledge to work out a solution.
Thanks for your expertise in confirming suspicions.
Any suggested fixes appreciated. - Supply a public IP and then external DNS will resolve (to limit exposure, I didn't want to do this ).
-
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
I tried setting internal DNS in Browser, and added internal firewall IP to DNS list for Operating System Network settings.
huh??
What dns does your device this browser is running point to??
If it points to pfsense for dns.. All that is a simple host override.. For example..
If it points to some other dns on your network, you would have to create the record there.
-
Like this?
Network settings for the Device running the browser
Host override in DNS resolver
Thx
-
@phantom99 you should only have 1 dns in there.. Your pfsense IP... You have no control over which IP your dns client will ask.. What if it asks 8.8.8.8? What is the point of adding multiple entries for other IPs on pfsense? If unbound is down, it would be down on all of them, etc.
-
Removed all but 10.1.20.10 DNS to no avail.
(And now being past the boundary of my knowledge, a troubleshooting guess)...
I removed reference to the WANs Gateway. Internet access was understandably not available, but URL access still didn't work. Also noticed I had listen on ports 53/853 in Resolver, so made them blank.
Still no access. -
@phantom99 does your client resolve the fqdn
Lets see a simple nslookup on your device your trying to access it with..
this is first thing to check, if unbound on pfsense is not handing out the IP for the fqdn you want to use - then its never going to work..
-
Here are some nslookup results.
10.1.20.10
Server: 10.1.20.10
Address: 10.1.20.10#5310.20.1.10.in-addr.arpa name = pfsense.mydomain.me.
10.1.20.10
Server: 10.1.20.10
Address: 10.1.20.10#5310.20.1.10.in-addr.arpa name = pfsense.mydomain.me.
google.com
Server: 10.1.20.10
Address: 10.1.20.10#53Non-authoritative answer:
Name: google.com
Address: 172.217.167.78pfsense.mydomain.me
Server: 10.1.20.10
Address: 10.1.20.10#53Name: pfsense.mydomain.me
Address: 10.1.10.10
Name: pfsense.mydomain.me
Address: 10.1.20.10I don't understand this line:
10.20.1.10.in-addr.arpa name = pfsense.mydomain.me. -
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
10.20.1.10.in-addr.arpa name = pfsense.mydomain.me.
that is the PTR.. Ie when you look up a IP what is the reverse name set..
what are you using? what command are you actually typing? When you do a nslookup it will do a PTR query for the IP of the dns your pointing too.
That you don't get an answer to that PTR and you get this
Server: 10.1.20.10 Address: 10.1.20.10#53
Something is messed up.. It should return pfsense name via the PTR, is that not pfsense LAN IP?
-
I just typed in fqdn or LAN ip at the nslookup prompt. (Forgive my lack of expertise here)
When I get a minute I will lookup what commands I should use.I have multiple LANS:
10.10 (1st physical i/f )
20.10 (2nd physical i/f )
+3 moreI have been setting manual ip on the device accessing the 20.10 LAN as I don’t seem to be able to get from device/ browser to 10.10 I/F even when I set device ip to match i.e. 10.1.10.xx. So i have been accessing via 20.10 and it’s why i set the resolver override to 10.1.20.10.
-
pfsense.au61.au -type=ptr
Server: 10.1.20.10
Address: 10.1.20.10#53Name: pfsense.mydomain.me
Address: 10.1.10.10
Name: pfsense.mydomain.me
Address: 10.1.20.10 -
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
I have multiple LANS:
what is the iP of the one called LAN.. this is pfsense IP address for any PTR lookup
pfsense.au61.au -type=ptr
That is not a valid ptr lookup.. PTR lookup would be look like this
253.9.168.192.in-addr.arpa.
look at the sniff of what happens when I do a nslookup
$ nslookup www.google.com Server: sg4860.home.arpa Address: 192.168.9.253 Non-authoritative answer: Name: www.google.com Address: 172.217.0.164
-
Sorry for lack of response to previous....
Once you had commented that something was messed up, I decided to do a clean (re-)install from 2.7.2 img and hopefully stop wasting your time and mine.All I have done so far is:
- changed LAN IP and GUI port
- In advanced, I have added Alternative hostnames of pfsense.home.arpa and pfsense.mydomain.me
- Installed ACME
- DNS resolver is enabled
- DNS Override: pfsense home.arpa 10.1.10.10
- No custom Firewall rules yet/ No NAT entries except Standard 2x WAN Auto rules
Current NSLOOKUP response (still returns server as IP only)
pfsense.home.arpa -type=ptr
Server: 10.1.10.10
Address: 10.1.10.10#53Name: pfsense.home.arpa
Address: 10.1.10.10I know this is not an interactive tutorial, but... before I attempt creating SSL cert with ACME/LE is there anything in particular I should setup?
Just to CONFIRM.... are the following assumptions and outcomes correct:
- Change default pfsense.home.arpa hostname to pfsense.mydomain.me
- Assume mydomain.me is held at external registrar
- Create CNAME record pfsense.mydomain.me at external registrar where domain is held.
- Do not assign a public IP A record to mydomain.me (or should I say not necessary if external access not required)
- Create an ACME/LE certificate for pfsense.mydomain.me.
- Configure new certificate under: System | Advanced | Admin Access | SSL/TLS certificate
I should then be able access from the LAN: pfsense.mydomain.me, despite not having a public IP in an A record.
Thank you for your time and attention to this issue.
Basic Architecture FYI:
-
@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
DNS Override: pfsense home.arpa 10.1.10.10
it wouldn't be DNS override - it would be HOST override..
Any host override would provide a PTR..
What actual nslookup are you using - does it not do a ptr for the IP your set to your dns? windows nslookup always do this - but maybe your linux client doesn't?
That could be red herring.. What you should be able to do is do a query for your host override does it return your IP you set, does it do a ptr when you query for it?
-
Is this modern networking or just plain wrong :
-
@Gertjan hahaha - I took that is he was just rying to obfuscate his actual IP space.. if rfc1918 never understand that.. but prob something like rfc1918.10.10/24 and rfc1918.20.10/24 for his other interface.. And was just wanting to show he has multiple networks.. Sure hope that switch is vlan capable and setup correctly.
-
I have replicated all the same steps and seem to get the same responses except for the very first one where the nslookup server is IP not domain.
Here is where server is IP only
Using same dummy Host override (IP is not in the LAN range)
dig on "any" host override.
Right - I never did answer that question, sorry about that. I am using NSLOOKUP in interactive mode via Terminal on MAC OSX v12
I believe the above screenshots answer the final questions:
@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
query for your host override does it return your IP you set
The "any" Host override is returned from dig pfsense.mydomain.me as 10.1.10.1 (not a valid LAN address - proving it came from override settings)
@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
does it do a ptr when you query for it?
dig -x 10.1.10.1 returns PTR pfsense.mydomain.me
And now for the embarrassing answers:
YOU: it wouldn't be DNS override - it would be HOST override..
ME: My bad. Wrong terminology.@Gertjan said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):
Is this modern networking or just plain wrong :
There's two parts to this:
- Yes it was kind of obfuscation, but more so trying to simplify the diag; as I'd previously disclosed the first half anyway. Admittedly never added the /24.
- The second part is my true moment of stupidity. Two LAN connections going to the same switch. (In my part defense I only had DHCP on LAN, and I manually set my my client IP to match LAN not OPT1 and there were no other clients on either LAN interface yet.) Haven't got into VLANs yet, so the stupidity would have kicked in had I proceeded with trying to get that to work. Thanks @Gertjan for bringing this to the surface.
Revised diag. ;)
-
@phantom99 well it seems your nslookup just isn't doing a ptr for the IP you have set, but that is something on the nslookup client..
I rarely use nslookup to be honest, I am a dig guy.. but many windows machines I might be on don't have dig installed, like my personal machines. And they always do a ptr out of the gate.
So that was just red herring it seems, my bad - but clearly your A and PTR queries are returning your setting for that record - so what is not working exactly?
-
I can't seem to address pfsense machine using FQDN or Hostname, only IP.
Mainly, I wanted to be able to establish a secure connection by using a FQDN/SSL connection without browser warnings.
Despite having established a cert with ACME/LE I can't address with a cert/FQDN.The SSL cert almost seem to become secondary to the problem that I can only address pfsense with IP address and not by hostname (or FQDN).
(Hope of stated all this clearly and correctly.)
I keep thinking I am missing something really basic.
Am I right in thinking I need to get hostname addressing working and then subsequently create a cert to enable SSL/FQDN?