Port Forwarding not honered for .well-known/acme-challenge
-
@jgrabner
all fine and good, but now that you know that nat reflection works for you, you should consider setting up a split DNS instead if you canhttps://docs.netgate.com/pfsense/en/latest/nat/reflection.html
NAT reflection is a hack as it loops traffic through the firewall when it is not necessaryA preferable alternative to NAT reflection is deploying a split DNS infrastructure
̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
@kiokoman said in Port Forwarding not honered for .well-known/acme-challenge:
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html
NAT reflection is a hack as it loops traffic through the firewall when it is not necessaryI've an example that shows why NAT refection is 'strange' :
You work for a company, the sales department. You just received a big order, and you want to contact the shipping department to check if they have enough stock.
In your company, internal phone numbers 310 to 320 are the sales numbers, 350 to 360 are the phones of shipping department.
Suzanne is holding the front desk, and she answers all the incoming calls from all the clients and everybody else out there, when calling your company.Let's say : 310->320 and 350->360 are your LANs.
Suzanne is your pfSense.So, what do you do ?
Do you really call 1-123-456-7890 ? (and thus you will have Suzanne answering, an you have to ask here to put shipping through ? )
Or do you call 'shipping' directly by dialing for example 350 ?If you persist on doing the first option, Suzanne will have a talk with you, explaining you doing it wrong (again). That your methods are maybe not hacky, bit still wrong.
-
@kiokoman said in Port Forwarding not honered for .well-known/acme-challenge:
you should consider setting up a split DNS instead if you can
You can not. Since you're doing port translation, you need the NAT rule on pfSense.
However , I'm wondering why your server use non-default ports fot HTTP/S.
With default ports you could go with local host overrides and get rid of NAT reflection. -
Reason for non-standard ports on server:
- my webserver is a set of pods in kubernetes. I am using microk8s implementation. While it supports hostPort on ingres (le lets me use port 80 and 443), it is highly discouraged in documentation. Documentation recomends nodePort configuration (ie 30000-). The only reason i could figure is that using hostPort would limit kubernetes to one webserver and kubernetes is designed for scale.
- somewhere i read it was less secure to use 80, ie target of more hacking if someone got access to your lan. I suppose this only applies to lower skill hackers.
-
@viragomann said in Port Forwarding not honered for .well-known/acme-challenge:
@kiokoman said in Port Forwarding not honered for .well-known/acme-challenge:
you should consider setting up a split DNS instead if you can
You can not. Since you're doing port translation, you need the NAT rule on pfSense.
However , I'm wondering why your server use non-default ports fot HTTP/S.
With default ports you could go with local host overrides and get rid of NAT reflection.you can use haproxy in this scenario listening on wan and lan instead of opening ports/creating a nats for each pod in Kubernetes, well if you have a couple of pods it doesn't really matter but since I have 50 services running in test / 50 in staging / 50 in production on Kubernetes behind pfsense it would be unmanageable without haproxy for me
