SSL cert or port forwarding problem.



  • I have an SSL cert on an FTP server that also hosts via HTTPS from behind my firewall. When trying to resolve the connection locally using the domain name mydomainftp.com it doesn't follow my port forwarding paths to the server. It lands on the Webgui of pfsense. I have set the webgui to an alternative port so HTTPS traffic is finding some other way to get hung up there. I am wondering if there is a conflict between the two certs.

    I own a domain mydomainftp.com

    This points to my address where the local server is hosting files. Webgui traps all traffic, or so it appears.


  • LAYER 8 Netgate

    Set up a host override in your DNS Resolver pointing the name to the inside (real) IP address.



  • Hey thanks,

    Tried that with the same results. Not found.


  • Banned

    Well, that your "try" failed… Try again and better.



  • Hey,

    I entered the host in the DNS resolver should I use the domain section? I am unsure if there is some other conflict at play here. I have the server set to redirect traffic from http to https. It convolutes the process slightly and I am afraid I don't know enough to be certain this isn't the issue.

    If I understand correctly a DNS query for mysiteftp.com, instead of leaving my network will be redirected (like an alias) to the IP selected instead without reaching the external.


  • Banned

    With the only info here being "Not found", you might as well use a crystal ball.

    On another note - I'd strongly suggest to make use of hostnames. WTH are you pointing everything to your domainname?!



  • Not found as in the connection times out.

    I have a local ftp server. I have a domain that points to it. The domain does not work internally as it points to my WAN. The wan ports for FTP and HTTP and HTTPS are all forwarded to said server. The connection times out. I used your hostname alias in the DNS resolver with no results. If you have any more help to offer that would be great.


  • Banned

    @jvamos:

    Not found as in the connection times out.

    Ah, that's wonderful use of terminology. NOT FOUND - when talking about webservers - means this: https://en.wikipedia.org/wiki/HTTP_404 - it definitely does NOT mean timeout.

    And - once again - what's wrong with hostnames?!?!?!

    www.example.com -> webserver
    ftp.example.com -> FTP server
    smtp.example.com -> SMTP server

    1/ Start designing things is a sane way.
    2/ Use logs and provide some useful info here finally.


  • LAYER 8 Netgate

    The DNS host overrides work fine.

    Your first problem is that you're using a domain name as a host name.  Try ftp.mysiteftp.com and www.mysiteftp.com instead.  AKA do it right.

    In order to test DNS, use a DNS testing tool.  dig or drill or, if you have nothing but windows available, nslookup, though it sucks.

    "Doesn't work" tells us nothing.



  • It's a crushftp server it is an FTP server with an HTTP interface as well. I'm sorry, I'm not following you.

    The hostname as in www? Or the hostnames on my local network?

    I don't know if I am being clear on the topology here. The server does a few things here. I use it for FTP as well. I bought a domain to use with our local IP. Is that insane? Sometimes I was wondering if it was the right thing to do. Having the server local is a big deal though as having instantaneous access to large files locally the day after they arrive is typical here.
    Please bear with me here as I am still kind of new to pfsense.

    When I use nslookup I see the DNS entry that belongs to the domain name that I registered. Should I be seeing the IP of the override?



  • Using nslookup with the address I used in the domain override gets me a timeout error after returning the gateway address.



  • They come up as non-authoritative answers so have to I assume it's something to do with my local DNS server not being queried.

    Never heard of drill or dig.


  • Banned

    OMG. Post the nslookup output. Post webserver logs. Post FTP server logs. Post firewall logs. Post SOMETHING. Not "t3h noes, it still no workie, t3h suck"… There's still ZERO information usable for debugging your issue.

    @jvamos:

    The server does a few things here. I use it for FTP as well. I bought a domain to use with our local IP. Is that insane? Sometimes I was wondering if it was the right thing to do.

    I have a strong feeling you really have no idea what you are doing. Once again - use HOSTNAMES. It doesn't matter that they point to the same IP/CNAME/server. Stop using domain name for everything.



  • OK at least we are getting somewhere as NOW I understand what you mean. Why use domain name when I am local. It's because a small function of the ftp server is to share links with those not technologically inclined to lead them straight to a file. When using the hostname with this function it inserts the hostname which is not pertinent to those outside of our network.

    Any way you can try and help me solve the issue instead of bashing my practices? The logs of the ftp server are blank as nothing gets to the ip or hostname I specified. Nothing relevant in the firewall logs either.


  • Banned

    @jvamos:

    When using the hostname with this function it inserts the hostname which is not pertinent to those outside of our network.

    Eeeeeeeeeeeeeeeeee?!? DAFUQ?!?

    @jvamos:

    Any way you can try and help me solve the issue instead of bashing my practices? The logs of the ftp server are blank as nothing gets to the ip or hostname I specified. Nothing relevant in the firewall logs either.

    Why the HECK don't you post the nslookup output at least?!?!



  • :'( :'( :'( :'( :'( :'( :'(
    Sad boy.

    This ftp server sends out emails and it wraps the local hostname into the link. When they use this link it doesn't lead anywhere.

    It's a nuance of a program I use. Somehow, being on your flame heavy thread is actually helping me. This redirect should really work.

    nslookup www.myurlforourftphttpfileserver.com
    Server:  pfSense.imagesoffice
    Address:  192.168.1.1
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to pfSense.imagesoffice timed-out
    
    >nslookup sameurlwithnowww.com
    Server:  pfSense.imagesoffice
    Address:  192.168.1.1
    
    Non-authoritative answer:
    Name:    theurlfortheftp.com
    Address:  **.*.*.* (my office IP)
    
    

    Be gentle.


  • LAYER 8 Netgate

    So stop messing around with port forwards and fix your DNS. This works out-of-the-box so it's anyone's guess what you've changed.



  • What is the alternative to port forwards to direct a user to my webserver behind the firewall? I want to set up a DMZ at some point I just need to install a third NIC which I have on standby. Should I just be going down that route immediately?


  • LAYER 8 Netgate

    You need DNS that works before you do anything.



  • I didn't change any DNS resolver settings except for the redirect. DNS is working. You probably didn't scroll down?


  • LAYER 8 Global Moderator

    Non-authoritative answer:
    Name:    theurlfortheftp.com
    Address:  *... (my office IP)

    So that returns your PUBLIC IP??

    "What is the alternative to port forwards to direct a user to my webserver behind the firewall?"

    Users outside?  Or users inside?



  • Hey John,

    Thanks for your help. I may not have made everything I am doing totally clear and I apologize for that. My public IP is returned when doing the nslookup. I have been reading and cannot decide whether to use a DMZ or not as a samba server would be exposed along side it. I guess I am not familiar with common workplace infrastructure except theoretical models. I want users outside the network to access the webserver from the URL which leads to my public IP at this office. Users on the inside should be able to hit it from the public URL as well as that is necessary for people "generating links" for those outside the network. Right now this is possible using my old router. This whole experience has pushed me to buy a Networking A+ course so I guess that is a positive.


  • LAYER 8 Netgate

    Your requests are timing out. That's broken DNS. I don't know how you can expect anything to work.


  • LAYER 8 Global Moderator

    I am with derelict here, if you have to query for something multiple times before you get an answer you have a serious problem..

    As to "as a samba server would be exposed along side it."  Your not going to expose samba to the public internet???  Your just saying the web server needs to talk to this samba box??

    Here is the thing, allowing external access to your web server (httpd) is nothing more than a simple port forward of 80 and 443 if you want ssl.  As to if that httpd box is on your lan segment or another segment (firewall segment or dmz) is up to you..  To be honest that has little to do with accessing it from the outside and using split dns for your users locally to access it using the same fqdn..

    So if www.myurlforourftphttpfileserver.com resolves on the public internet to your public IP..  Then just have your local dns resolve that to your private IP there you go local users using your local dns point to the local IP..  If you have put that IP on its own firewalled segment from your lan, then you would have to allow that traffic between your lan and "dmz" segment in pfsense.

    Then just forward 80,443, 21 to this server or if your using ftps ftpes the appropriate ports for that..  You do understand that running a ftp server behind nat is problematic if you do not fully understand the ftp protocol.  Is your ftp server going to support active/passive or just active?  Keep in mind there is no helper/proxy for pfsense any more..  So you have to forward the passive ports your ftp server would be using.  Even if there was helper still the use of ftps/ftpes encrypted control channel prevents any sort of helper/proxy from changing private IP to public and or opening the appropriate ports in the firewall that are being used int he port/pasv command.

    To be honest I would get http/https working first via your port forward..  See the port forwarding doc, then play with ftp after you have read and understand how the protocol works with control and data channels and active vs passive.  To be honest ftp even ftps or es should be avoided and just use sftp or even just http/https for file transfers..



  • Thanks John,

    I don't understand why else the redirect wouldn't work unless I'm plugging in the wrong values. DNS seems to be working because my domain doesn't include the www. as it is registered as a domain.  I have those ports forwarded as well as a passive range for my Crushftp server. I don't want the whole machine exposed so port forwarding seemed the best way to go. The port forwards are working when accessing the site remotely but not locally is the best way to describe my issue. I believe when I obscured my IP I confused the whole issue.


  • LAYER 8 Global Moderator

    "The port forwards are working when accessing the site remotely but not locally is the best way to describe my issue"

    What part do you not understand about split dns?????

    When your your public internet, you get your public IP when you look up yourdomain.tld lets say 1.2.3.4, when your on your network and you lookup yourdomain.tld you get 192.168.1.101

    What does port forwarding have to do with that???  NOTHING!!!



  • I don't have a domain controller. I don't have a domain set on the router either.


  • LAYER 8 Netgate

    When you have connections from the outside in you need a port forward.

    When connections are coming from an inside host to an inside address, you do not need a port forward.

    Configure your DNS so outside users get the outside address and inside users get the inside address.

    That's why I have been harping on your broken DNS. You have a DNS problem, not a port forward problem. Just STFU about port forwards and fix your DNS.



  • How I fix DNS


  • LAYER 8 Netgate

    What are your settings in:

    System > General > DNS Servers
    Services > DNS Forwarder
    Services > DNS Resolver
    Services > DHCP Server On the tab for your inside hosts, what are the DNS Servers


Log in to reply