Bought my domain with an ssl certificate

Hi Everyone,
JJ from Paris (France). I hope I am using the forum correctly and do not bother you with my beginner’s questions, but before going to ITPro’s classes, I thought it would be good to know a little.
I am an ex-pilot who is discovering IT.

My question today is this
I bought my domain name, and it is a bundel with a Digicert certicate. Because I do not want to leave everything outside, I created an A record that point to my home IP adresse, where I have my SG1100.

SG1100’s domain is ‘peace.lan’, and I would like to host some services for me, and my family outside, like an FTP server, a web server, Emby, and Calibre.

Do I need to change the SG1100 internal domain name to my external one?

Do I need to create A records for each service I would like to have and point each one to my IP address?

I have the SG1100 in the 10443 port, in order to have HTTPS and use my certificate, do I need to change the port to 443?

Because I am behind my ISP’s router, I tried DMZ, but unsuccessfully. Do I need to redirect port 443 on the ISP’s router to the SG1100?

Thank you again, and If this forum is not here for that kind of questions, I will perfectly understand.

Regards
JJ

That’s brave :slight_smile:

If you want to share your data with “trusted” family members and yourself externally, perhaps you should consider setting up an OpenVPN server I’d say this is much more secure. It’s not so difficult and worth the effort.

If the OpenVPN server is on your SG1100 they will only need the OpenVPN client on the device they are accessing your network with, if they do not have a router that supports OpenVPN.

Basically I have done this, however, you just have to keep an eye on your upload speed, otherwise it work well.

Plus I’d trust the security offered by OpenVPN over HTTPS/SSL any day.

Thank you. I will add it to my todo list.
Can you help me with my other questions.
I am confused now that I have an external domain, and an internal one. Do I have to put pFsense my external domain?

I would watch Tom’s video on HA proxy that would make your project much safer and easier to manage if I understand you.

Also your ISP may be blocking 443 or 80, so you may have to use non standard ports. So to login you’ll be using emby.yourdomain.com:575 for example.

Open VPN is definitely more secure but not necessarily worth the extra in my opinion, but if you use it make sure to use split tunneling on the VPN to save your bandwidth.

Also for ease of use change your IP range to a non common one if you use the VPN , because users who have the same range may have issues.

Keep them on a separate Vlan , incase they do get hacked.

Thank you.
What about the domain name. Do I keep my domain.com externally, and peace.lan internally for the SG1100?
JJ

The internal domain name will only matter if you want to use your cert on any of the internal devices. Otherwise it’s up to you. You can use multiple domains internally if you want to.

Thanks.
So if I want to use haproxy for example to allow external access to my family on internal computers, I will need to change the SG1100’s domain name to something like Pfsense.mydomain.com?

If you want to use the domain cert for GUI yes. If you just want to use HA Proxy no. You will load the cert into pfsense to be used by HA Proxy. You might need to make internal DNS entries to point to the services hosted by HA Proxy, at least that’s the way I did it.

Thank you.
Will try this tonigh.