pfSense: Webserver NAT reflection stop working when adding pfBlocker geoip alias

Hi everyone,

First of all, if Tom is reading this post I just want to let you know that your videos have given me the little push I needed to explore the world of pfSense. I have watched a lot of them, they have been my tutorials to help me configure my first pfSense on a old computer equipped with a used Intel Pro/1000 quad port gigabit Ethernet card I bought based on your recommendation.

So here is the situation. I have a webserver that is used by me and some of my friends. I have quite a few subdomains that changed from time to time (ex. example.com, nextcloud.example.com, etc.). With a basic NAT, everything was working fine (after disabling webConfigurator redirect rule :grinning:).

After installing pfBlocker and configuring geoip, I decided than I wanted to restrict access to the webserver to Canada only. Instead of denying everything except Canada, I decided to only allow Canada. So in GeoIP, I choose “Alias Permit” and selected only Canada. I then edited the source address of my NAT by selecting pfB_NAmerica_v4.

Everything was working fine at first but after flushing the DNS cache Firefox gave me a “Potential Security Issue” message when accessing my website. What I found out is that it is actually the login page of pfSense with its certificate! This problem is only inside my network, if accessing the website with my cellphone everything is working fine

Is it normal that by limiting the IPs to Canada on the WAN interface that the NAT reflection was affected in such a way? If so, what is the solution? Use the DNS Resolver to override the domain? Is it possible to override a domain and all its subdomains at once?

Thanks a lot

You should have the managent port for pfsense on something other that 443.

Hi Tom, I just changed the management port to 444 and tried to access my website. Now I get a connection timeout. The only way, that I found, to get back access to my website from the LAN side is to put Any as the source in the NAT rule.

I was able to resolve the problem by adding Host Overrides in the DNS Resolver. The drawback is that you need to add an additional name for each of your subdomains.

I was able to find an alternative by adding the following lines in the “Custom options” of the DNS Resolver:
server:
local-zone: “example.com” redirect
local-data: “example.com 86400 IN A 192.168.0.4”