Webserver behind pfsense: can't curl to self -> NAT issue?

mitch2k · Mar 10, 2015, 8:56 AM

Hi,

I have set up a webserver behind a pfsense server, and everything is running perfect, except 1 thing: I am having issues running scripts that depend on curl to itself.
So for example, if you run something like curl http://domain.com/script.php on the webserver it is not working.

This is an example from the server:

root@srvweb02 [~]# curl https://domain.com:443 -k -v
* About to connect() to domain.com port 443 (#0)
* Trying 101.55.165.23... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

domain.com is hosted on srvweb02. When running curl https://domain.com:443 -k -v from any other server, it works perfect.

This looks like some kind of NAT issue, but I am not sure.

Also I'm sure outbound NAT is ok, and i'ts using its public IP:

root@srvweb02 [~]# curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
101.55.165.23

Ping to own domain name and ip is also working:

root@srvweb02 [~]# ping 101.55.165.23
PING 101.55.165.23 (101.55.165.23) 56(84) bytes of data.
64 bytes from 101.55.165.23: icmp_seq=1 ttl=63 time=0.464 ms
64 bytes from 101.55.165.23: icmp_seq=2 ttl=63 time=0.455 ms
64 bytes from 101.55.165.23: icmp_seq=3 ttl=63 time=0.518 ms

root@srvweb02 [~]# ping domain.com
PING domain.com (101.55.165.23) 56(84) bytes of data.
64 bytes from 101.55.165.23: icmp_seq=1 ttl=63 time=0.569 ms
64 bytes from 101.55.165.23: icmp_seq=2 ttl=63 time=0.483 ms
64 bytes from 101.55.165.23: icmp_seq=3 ttl=63 time=0.654 ms

My NAT rule:

If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP/UDP * * 101.55.165.23 web_ports_public 10.202.100.11 web_ports_public srvweb02 cpanel public

My outbound NAT rule:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 10.202.100.11/32 * * * 101.55.165.23 * NO srvweb02 out

Anyone has an idea how I can troubleshoot this?

Thanks!!

KOM · Mar 10, 2015, 1:11 PM

Add an entry to your internal DNS so that it resolves your domain to its LAN address, not WAN.

mitch2k · Mar 10, 2015, 2:10 PM

@KOM:

Add an entry to your internal DNS so that it resolves your domain to its LAN address, not WAN.

That would be a solution, but the problem is that there are 10-20 domains on the server, and that new domains get added frequently. So that means that I have to add entry's for each domain.

KOM · Mar 10, 2015, 3:13 PM

Life's rough sometimes. If you can't be bothered running split DNS then get an outside line and do your WAN testing from WAN instead of LAN.

gderf · Mar 10, 2015, 3:18 PM

See:

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

GruensFroeschli · Mar 10, 2015, 3:20 PM

SplitDNS is the proper way to solve this.
Alternatively enable NAT reflection on the port forward rule you use to forward the ports from your pfsense to the server.

When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.

The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.

The pure NAT mode uses a set of NAT rules to direct packets to the target of the port forward. It has better scalability, but it must be possible to accurately determine the interface and gateway IP used for communication with the target at the time the rules are loaded. There are no inherent limits to the number of ports other than the limits of the protocols. All protocols available for port forwards are supported.

Individual rules may be configured to override this system setting on a per-rule basis.

mitch2k · Mar 11, 2015, 8:30 AM

@GruensFroeschli:

SplitDNS is the proper way to solve this.
Alternatively enable NAT reflection on the port forward rule you use to forward the ports from your pfsense to the server.

…

Hi,

yeah, splitDNS would be a good solutions, but hard to maintain.

I had nat reflection allready enabled (pure nat), and now enabled the nat+proxy mode, which seemed to solve the issue.

KOM · Mar 11, 2015, 1:14 PM

NAT Reflection is a hack that can cause problems. Seriously, entering 10-20 domains and their respective LAN IP addresses would take you about 5-7 minutes, and adding a couple of domains per week would take even less time. If that's really too much work for you… You really should do it properly for your own sake.

dkrizic · Mar 11, 2015, 4:07 PM

Split DNS on the other hand has problems with notebooks that are partly in the internet and in the intranet and cache the ip addresses.

KOM · Mar 11, 2015, 6:14 PM

I've never know that to be much of an issue, and for the odd client that might have it, ipconfig /flushdns fixes it.