I followed Tom’s video on pfsense, haproxy to setup WAN side and LAN side
I have a few external facing websites that i want to serve through WAN side
But i also have a few internal only websites (like bitwarden, NAS/openmediavault running dockers, Portianer etc). I donot want them facing WAN. I would VPN in to access these internal sites.
These websites are run on individual docker containers.
So a host with IP 192.168.1.1 can have mutiple websites hosted on different docker ports
The socker container internal ports are mapped to outside ports that donot conflict.
So an internal port 443 would be mapped to 4431 for website1, 4432 for website2 etc
Similarly an internal port 80 would be mapped to 8001 for website 5, 8002 for website 6 etc
I use Cloudflare as my DNS provider and all SSL certificates are from Let’s Encrypt.
I donot use any private certificates.
OpenVPN works fine. And once VPN in, i am able to access the internal websites with no issues
doesn’t matter weather they are on Haproxy WAN side or LAN side
But I am having no luck working this from LAN side when i am “inside the LAN”.
This page is not working.
bitwarden.mydomain.com didn’t send any data
Please correct me if I am wrong, so you are trying to access internal website you created through HAProxy? If yes, you need to configure DNS to point either to the gateway where the sites are set or you can create virtual IP that points to your server? Then on the frontend of HAProxy that’s where you point it either to the gateway or the virtual IP.
As a test setup, i worked everything on WAN side.
Then deleted the sites from the frontend WAN and added them to frontend LAN
I have the same backend.
I also tried VPN in and everything works fine.
The DNS resolver has following settings
SSL/TLS certificate: pfsense certificate from letsencrypt
Outgoing Network Interfaces=All
DHCP registration = yes
Static DHCP = Yes
I cannot use host overrides as i have multiple docker containers on the same host.
Sorry, i didn’t create any website through Haproxy.
The websites are already a web access for docker containers, each container has its own web interface and is running an application. For example, bitwarden is running in a docker container. it has a https website to access - login, password etc. I just want to type in https://bitwarden.mydomain.org to get there, and i want it to be blocked from anyone accessing from WAN, but be accessible from LAN.
How do i point DNS to the gateway, where do i set it?
How do i point the Haproxy front end to the correct gateway?
Why does it work when i VPN into my netwrok?
Why does it work, if i use frontend WAN access ?
When you say LAN address, I assume this is pointing to LAN IP Address of your server in docker. If that is the case change that “LAN IP Address” to the default gateway of network where your server is hosted.
Here is an example of my config:
DNS: On DNS the entries are pointing to the gateway of the network where the server are residing
HAProxy: This is my configuration in HAProxy
Do you have ports open 443 open to your local network going to 10.66.77.1? Also how networks do you have? Also just confirming that the IP address of your pfsense is 10.66.77.1? Also did you change the default https port of pfsense?
Base on your screenshot you have the following network | WANFIOS | LAN | GWSERVERVPN | GWCLIENTVPN | IOT | OpenVPN
My question is, the machine that is trying to access the bitwarden server is located on which network? Are they both under LAN?
Yes everything is connected to LAN
I think the problem here, since the machines are in the default LAN where the Anti-Lockout Rule resides. The rule captures the request and quickly compares it to itself. Since the anti-lockout rule only allows ports 10443 and 22, the packet is now dropped because it is requesting through 443.
What you can try, is create a IP alias in Virtual IP and then change the frontend address to virtual ip (I have not personally try this method so you need to play around with this).
Finally got this working…strange issue
- DNS resolver> Host Overrides>
I made all hosts under LAN use the same IP address as pfsense.
- I had created a few static DHCP mappings > MAC ID=some IP address, mainly for convenience.
One of these IP address was my computer from which i was trying to access Haproxy LAN front ends
This is what was not working. I accidentally discovered this, when i used my smartphone to try bitwarden. The phone was on wifi and had a dynamic IP address (in the DHCP server range). I was able to access bitwarden.
Out of curiosity, i deleted the static IP address for the computer, rebooted and made them get dynamic IP address from pfsense DHCP server. Bingo, now i am able to access all the LAN backends (bitwarden etc) using the Haproxy front end.
Any thoughts on why so?
I would really like certain computers that i use all the time to have static IP address
You need to let everyone in Lan or other local networks know where to find bitwarden.example.com in which this case your router ip address since haproxy frontend resides on it. You could have two dns entries as well. One public and one local. As a examples, home.example.com leads two different websites based on whether you are outside of the network or inside. Which comes handy some times. This all based on how you update your dns