Clouflare->Draytek Edge Router->pfSense->Home Assistant

georgelza · October 4, 2021, 2:52pm

hi all, need some assistance:

I"m sitting with the following problem, and wonder if you can assist, but thinking it could also be a great video fro someone, taking some of whats out there a little bit further.

I watched another video ([SSL Encryption on Your Home Server the SIMPLE WAY - Cloudflare, pfSense, HAProxy, ACME https setup - YouTube] that put some bits together, and know I followed it pretty spot one… but then I know my setup is slightly different so not surprised I’m having a issue.

(so yes have a Cloudflare account etc as per the video, my domain happens to also be a Google based one, and I did do the NS change into Cloudflare).

I currently use a Home Assistant Integration to update my IP in Cloudflare, and thats working, but would prefer to change that to the Dynamic DNS service in pfSense / configured, but think it’s failing as it’s not on the edge.

Overview of my setup,

I got HomeAssistant (172.16.10.21) configured (listening on 8123), on a Rpi, what else. This is hard wired into my Unifi 24 Port PoE switch (172.16.10.2)

The Unifi is patched into a Whitebox pfSense (WAN: 20.0.0.2 LAN: 172.16.10.1)

The WAN port of my pfSense goes into a LAN port of my edge router, The Edge router (Draytek 2760) on WAN has a dynamic IP, and the Lan side it’s 20.0.0.1 (I have to currently use the Draytek as my ADSL service is provided down a RG11 line still, I’m switching to Fiber at which time I will patch into the ISP’s ONT, which will then mean I can retire the Draytek, and thus make the pfSense the edge device)

I’ve configured a NAT on the Draytek taking WAN:443 and forwarding onto 20.0.0.2 : 443

And then I followed the above video to setup https://ha. (PS: I’ve configured Cloudflare to be strict… aka browser to cloud is encrypted and cloudflare to me is encrypted.), I’d love to also be able to tell my draytek to only accept this https stream from Cloudflare only, as I’ve configured the service with the reverse proxy setting.

I"m getting the following error from pfSense when visiting my site:

“Potential DNS Rebind attack detected, see [http ://en.wikipedia.org/wiki/DNS_rebinding]”
Try accessing the router by IP address instead of by hostname."

when I tried the IP it gave me my pfsense, so I’ve since changed the pfsense port to something non standard,

I’m guessing the pfSense is sensing that it’s not on the edge and seeing the NAT executed by the Draytek.

Suggestions ?

G

LTS_Tom · October 4, 2021, 4:15pm

You can fix the pfsense rebinding by going here DNS — DNS Rebinding Protections | pfSense Documentation

I would suggest finding a way to put the DrayTek in bridge mode so that the public IP is handed over to pfsense.

georgelza · October 4, 2021, 4:18pm

Thanks, will have a look and will first try and do the Rebinding now…
have a couple of ports IO’m busy moving over from 192.168.0.0 network to new UniFi USW Flex mini’s running on my 172.16.10.0 network.
Once I got all those workloads moved over then can try the Draytek into bridge mode.

G

mikensan · October 4, 2021, 9:15pm

For the dynamic dns concern in pfsense, it does not use the WAN NIC address but instead goes to http://checkip.dyndns.org in order to obtain the public IP. If you go to Services > Dynamic DNS > Check IP Services, you should be able to confirm this.

Also it is a bit weird to have a 20.x address, since that is technically a routable IP. However it looks like your Draytek may support bridge mode, something to try out: Configuring Vigor2760 for VDSL Bridge mode – DrayTek FAQ

georgelza · October 5, 2021, 11:44am

getting to configure bridge… soon, trying to collapse 2 halves of the network onto this one leg first,
broke things a bit…
I reconfigured my management lan on my USR 24 PoE from LAN 192.16.0.0 → my 172.16.10.0 network, remember switch carries a 172.16.10.2 IP, but apparently life is not simple, switch is still working, but can’t get to it now via the controller.

G

mikensan · October 5, 2021, 4:21pm

For management, dedicate a physical port and trunk all vlans. Then you can just connect a laptop or whatever, and tag your own traffic. Windows lets you do this fairly easily for most NICs - intel NICs even come with a utility.

georgelza · October 5, 2021, 5:51pm

will have to see what I all need to do re the 20.0 network, can get rid of it… just take some reconfiguration… without breaking things, to badly in the process.

I have port 24 currently configured as the main uplink into the switch, which is configured to carry all the networks/vlans
G

georgelza · October 5, 2021, 7:15pm

… so as 20.0 is normally a routable IP the DDNS updater figured it’s a real IP the it should update the CloudFlare service with, and promptly did…
As it saw 20.0 it did not go to external to find the site IP… or well thats what I think happened as my Cloudflare service was updated with 20.0.0.1, thinking changing to a 10.0.0.0 based address or doing the bridge of the Draytek will resolve the problem.
G