Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL cert or port forwarding problem.

    Scheduled Pinned Locked Moved webGUI
    30 Posts 4 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jvamos
      last edited by

      I have an SSL cert on an FTP server that also hosts via HTTPS from behind my firewall. When trying to resolve the connection locally using the domain name mydomainftp.com it doesn't follow my port forwarding paths to the server. It lands on the Webgui of pfsense. I have set the webgui to an alternative port so HTTPS traffic is finding some other way to get hung up there. I am wondering if there is a conflict between the two certs.

      I own a domain mydomainftp.com

      This points to my address where the local server is hosting files. Webgui traps all traffic, or so it appears.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Set up a host override in your DNS Resolver pointing the name to the inside (real) IP address.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jvamos
          last edited by

          Hey thanks,

          Tried that with the same results. Not found.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Well, that your "try" failed… Try again and better.

            1 Reply Last reply Reply Quote 0
            • J
              jvamos
              last edited by

              Hey,

              I entered the host in the DNS resolver should I use the domain section? I am unsure if there is some other conflict at play here. I have the server set to redirect traffic from http to https. It convolutes the process slightly and I am afraid I don't know enough to be certain this isn't the issue.

              If I understand correctly a DNS query for mysiteftp.com, instead of leaving my network will be redirected (like an alias) to the IP selected instead without reaching the external.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                With the only info here being "Not found", you might as well use a crystal ball.

                On another note - I'd strongly suggest to make use of hostnames. WTH are you pointing everything to your domainname?!

                1 Reply Last reply Reply Quote 0
                • J
                  jvamos
                  last edited by

                  Not found as in the connection times out.

                  I have a local ftp server. I have a domain that points to it. The domain does not work internally as it points to my WAN. The wan ports for FTP and HTTP and HTTPS are all forwarded to said server. The connection times out. I used your hostname alias in the DNS resolver with no results. If you have any more help to offer that would be great.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    @jvamos:

                    Not found as in the connection times out.

                    Ah, that's wonderful use of terminology. NOT FOUND - when talking about webservers - means this: https://en.wikipedia.org/wiki/HTTP_404 - it definitely does NOT mean timeout.

                    And - once again - what's wrong with hostnames?!?!?!

                    www.example.com -> webserver
                    ftp.example.com -> FTP server
                    smtp.example.com -> SMTP server
                    …

                    1/ Start designing things is a sane way.
                    2/ Use logs and provide some useful info here finally.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      The DNS host overrides work fine.

                      Your first problem is that you're using a domain name as a host name.  Try ftp.mysiteftp.com and www.mysiteftp.com instead.  AKA do it right.

                      In order to test DNS, use a DNS testing tool.  dig or drill or, if you have nothing but windows available, nslookup, though it sucks.

                      "Doesn't work" tells us nothing.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • J
                        jvamos
                        last edited by

                        It's a crushftp server it is an FTP server with an HTTP interface as well. I'm sorry, I'm not following you.

                        The hostname as in www? Or the hostnames on my local network?

                        I don't know if I am being clear on the topology here. The server does a few things here. I use it for FTP as well. I bought a domain to use with our local IP. Is that insane? Sometimes I was wondering if it was the right thing to do. Having the server local is a big deal though as having instantaneous access to large files locally the day after they arrive is typical here.
                        Please bear with me here as I am still kind of new to pfsense.

                        When I use nslookup I see the DNS entry that belongs to the domain name that I registered. Should I be seeing the IP of the override?

                        1 Reply Last reply Reply Quote 0
                        • J
                          jvamos
                          last edited by

                          Using nslookup with the address I used in the domain override gets me a timeout error after returning the gateway address.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jvamos
                            last edited by

                            They come up as non-authoritative answers so have to I assume it's something to do with my local DNS server not being queried.

                            Never heard of drill or dig.

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              OMG. Post the nslookup output. Post webserver logs. Post FTP server logs. Post firewall logs. Post SOMETHING. Not "t3h noes, it still no workie, t3h suck"… There's still ZERO information usable for debugging your issue.

                              @jvamos:

                              The server does a few things here. I use it for FTP as well. I bought a domain to use with our local IP. Is that insane? Sometimes I was wondering if it was the right thing to do.

                              I have a strong feeling you really have no idea what you are doing. Once again - use HOSTNAMES. It doesn't matter that they point to the same IP/CNAME/server. Stop using domain name for everything.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jvamos
                                last edited by

                                OK at least we are getting somewhere as NOW I understand what you mean. Why use domain name when I am local. It's because a small function of the ftp server is to share links with those not technologically inclined to lead them straight to a file. When using the hostname with this function it inserts the hostname which is not pertinent to those outside of our network.

                                Any way you can try and help me solve the issue instead of bashing my practices? The logs of the ftp server are blank as nothing gets to the ip or hostname I specified. Nothing relevant in the firewall logs either.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  @jvamos:

                                  When using the hostname with this function it inserts the hostname which is not pertinent to those outside of our network.

                                  Eeeeeeeeeeeeeeeeee?!? DAFUQ?!?

                                  @jvamos:

                                  Any way you can try and help me solve the issue instead of bashing my practices? The logs of the ftp server are blank as nothing gets to the ip or hostname I specified. Nothing relevant in the firewall logs either.

                                  Why the HECK don't you post the nslookup output at least?!?!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jvamos
                                    last edited by

                                    :'( :'( :'( :'( :'( :'( :'(
                                    Sad boy.

                                    This ftp server sends out emails and it wraps the local hostname into the link. When they use this link it doesn't lead anywhere.

                                    It's a nuance of a program I use. Somehow, being on your flame heavy thread is actually helping me. This redirect should really work.

                                    nslookup www.myurlforourftphttpfileserver.com
                                    Server:  pfSense.imagesoffice
                                    Address:  192.168.1.1
                                    
                                    DNS request timed out.
                                        timeout was 2 seconds.
                                    DNS request timed out.
                                        timeout was 2 seconds.
                                    DNS request timed out.
                                        timeout was 2 seconds.
                                    DNS request timed out.
                                        timeout was 2 seconds.
                                    *** Request to pfSense.imagesoffice timed-out
                                    
                                    >nslookup sameurlwithnowww.com
                                    Server:  pfSense.imagesoffice
                                    Address:  192.168.1.1
                                    
                                    Non-authoritative answer:
                                    Name:    theurlfortheftp.com
                                    Address:  **.*.*.* (my office IP)
                                    
                                    

                                    Be gentle.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      So stop messing around with port forwards and fix your DNS. This works out-of-the-box so it's anyone's guess what you've changed.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jvamos
                                        last edited by

                                        What is the alternative to port forwards to direct a user to my webserver behind the firewall? I want to set up a DMZ at some point I just need to install a third NIC which I have on standby. Should I just be going down that route immediately?

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          You need DNS that works before you do anything.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            jvamos
                                            last edited by

                                            I didn't change any DNS resolver settings except for the redirect. DNS is working. You probably didn't scroll down?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.