pfSense and internal redirection

Hi all,

I have a cluster of 4 servers with all 4 being load balancers (HA Proxy ) in order to achieve high availability.

When we are trying to generate a web ssl certificate using let’s encrypt, the generation is done on the first server in the cluster, which also creates a standalone service to solve the challenge that proves the domain is ours. If the request comes in on one of the other three load balancers, that request is redirected towards the public IP port 80 of the first server, but that connection can’t be made for some reason.

I saw the following in the pfSense documentation:

By default, pfSense® software does not redirect internally connected devices to reach forwarded ports and 1:1 NAT on WAN interfaces. If a client is trying to reach a service on port 80 or 443 (or the port a web interface is using if it has been changed), the connection will hit the web interface and they will be presented with a certificate error if the GUI is running HTTPS, and a DNS rebinding error since it’s an unrecognized hostname.

Could anyone please help me understand on the best approach to solve my issue?

I looked at ‘Split DNS’ but I don’t think it will work as I cannot list every single domain I host (current and future).

I am now loking at ‘NAT Reflection’ but I am not sure if this is what I need.

Thank you all in advance

I forgot to mentioned that I have 2x pfSense In HA so I need to be carefull not to break that part when messing with NAT

@fred974, I believe they are referring to hair pinning when you have an internal system trying to reach an external service being exposed on the outside interface of your firewall. There are two fixes. First is you can create a NAT (hairpin) that has a source address of the servers and a destination of the outside interface/IP. The other option is to create a host file entry on each server pointing the URL/domain to the systems IP you created the cert on.

Hi @FredFerrell what will that look like?
This is what my /etc/hosts curently look like
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

# localhost
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

# server hostname
127.0.0.1 Server-02
::1 Server-02

# moosefs servers
10.16.10.100 clustercsmfs
10.16.10.101 clustercsmfs
10.16.10.102 clustercsmfs
10.16.10.103 clustercsmfs

Do I just add the public external ip to it?
All I need to do is to get each server to be able to communicate to each other via port 80.

At the moment the following is not returning anything
[root@Server-02 clustercs]# telnet 194.16.14.xxx 80
Trying 194.16.16.xxx…
^C

Enter the internal IP of the server and the URL (ex. 10.16.10.100 google.com). This needs to be done on each server in your load balancing pool.

In the end, I went for methode1 using pure nat and it solved my issue

Awesome! Glad you got things working.