[pfSense] DNS Forwarder vs DNS Resolver (reverse proxy)

I’m using pfSense and I’ve got Caddy v2 running on my reverse proxy machine via docker. I have dynamnic DNS set up through Namecheap and it is all working fine for two of my subdomains. However on the third(set up the same way), when I try to access myhost.mydomain.com from INSIDE my LAN, it sends me to my pfSense login. I had the other two subdomains set up in DNS resolver, but I’m wondering if I need to use the forwarder?

What’s happening here?

Did you change the port for the pfsenes web admin interface and turn off the WebGUI redirect under “System → Advanced ->Admin Access”?

When you resolve myhost.mydomain.com and don’t have any split DNS records set up, it will query your upstream DNS provider and return with your public IP address, which is the IP address of your firewall. Therefore when you make a request to that name, pfSense will answer it and show you the web UI. A NAT rule (commonly referred to as a port forward rule, in this case), can change that behavior and route the traffic to the proxy server instead. Note however that with pfSense, NAT rules are bound to a specific interface (or interface group). In most cases, this will be the WAN interface. For traffic originating inside your network, i.e. not coming in through the WAN interface, the rule will not apply.

To be able to access websites from inside the network under the same domain name, you can do one of two things:

Either set up split DNS. As you suggested, create records for all of the domains in pfSense’s DNS resolver (you won’t need the DNS forwarder), but put the local address of the reverse proxy server.

Alternatively, you can enable NAT reflection. This can be done per NAT rule or globally under System → Advanced → Firewall & NAT → Network Address Translation".

Does that also mean that he did not block managing his firewall from the WAN? if so it should probably be changed to block access from the WAN, don’t want people breaking into your firewall from the outside world.

No. To access the web UI from the internet, there would have to be an allow rule on the WAN interface. I don’t assume such a rule to be present, otherwise as you said this should of course be changed.

Without split DNS, the domain will be resolved to the public WAN IP for both internet and local network hosts. But with an entry in the local DNS server (and assuming local devices are configured to use the local DNS server), local network devices can be steered towards the proxy server directly, avoiding traffic being sent through the firewall altogether.

I do now, but any requests to myhost.mydomain.com are now timing out.

This is just not working for me. Is there a means to export my entire pfSense config so that I may share it here?
Here are my firewall rules. xxx.xxx.xxx.10 is the server. When I ping myhost.mydomain.com, it returns my WAN ip, so I know that end is working.

Which of the two approaches have you tried? I would advise using split DNS as that avoids traffic being routed through the firewall.

You can export your pfSense config via Diagnostics → Backup & Restore, but I wouldn’t post the entire thing here, it’s probably full of confidential information (and frankly, I don’t want to look through all of that).

Your firewall and NAT rules look good, but (in the case of split DNS) they are only necessary for external access. You can verify that your DNS overrides work correctly by doing a nslookup for the domain in question on a local machine.

If it still doesn’t work, post your DNS resolver settings, especially the overrides section.

nslookup to myhost.mydomain.com resolves to the correct machine. I guess this is an HAproxy issue. Thanks for all your help! Also, as suggested, I’m using the DNS resolver method.