I’m getting crazy since several days now. Since i watch almost all the videos of Tom and know his skills with PFSense i thought i might get some help here.
ISP–>ISP Router(forced to use)–>(DMZ)–>PFSense–>Home Network
My Network consists of:
- Windows Server (Host System)
- Reverse Proxy (VM)
- different services (VMs)
- Local Computers
So, PFSense passes all incomming 80/443 traffic to my Reverse Proxy, which then redirects it to the right service.
My ISP Router updates my DDNS, since it’s the only one knowing my public IP address.
Everything was working flawlessly…
The problem I’m facing now, came after I made a modification in PFSense to the DNS Servers. Under System–>General Setup I registered the Cloudflare and Google as DNS, since i wanted to access sites that are currently blocked by my ISP. And i disabled the override flag.
After 1/2 Days, can’t tell exactly cause I wasn’t at home for a few days i couldn’t reach my Services from inside the Network through my Domain anymore. I can’t browse to “service.url.com” anymore and instead I have to type in the actual IP of the VM the service is running on, which is no option since i have mobile devices syncing with them which go in and out of my network.
First thing I did was to reset PFSense back to the settings before i changed anything, but it didn’t help. Meanwhile I tried everything I could possibly think of…feels like someone is pranking me lol.
Has anybody an idea on how to debug this issue?
Help would be greatly appreciated, really.
Sounds like DDNS hasn’t updated, have you tried to ping “service.url.com” to check it’s resolving to the right IP address?
Is there a reason you are using the ISP Router for anything other than a modem? You should be able to put the ISP router in bridge mode and pass all routing to the PfSense Box. This would allow you to update ddns from your PFsense box and save all these headaches.
DDNS is up to date, since i can access the url from outside of my network. Also, I use a real domain for my services with dns records from DDNS since i have no fixed IP.
It’s only when i’m behind PFSense that i can’t access it anymore.
Like i said, I am forced, there is no bridge mode. I already spent hours arguing with them and will soon switch, but for now I have to live with it. Honestly, it’s only the DDNS updating that i have to do over the ISP Router/Modem.
Okay so you can access the url externally but not internally which is where you are saying you can access it by IP from internally?
So sounds like it’s related to overriding DNS servers so clients behind pfsense are querying the google/cloudfare dns servers directly as opposed to querying pfsenses dns resolver. Other possibility could be NAT reflection but I’m going with DNS.
What DNS servers are your client machines using? ie
ipconfig /all to grab the dns servers?
You could also verify pfsense is resolving correctly with nslookup, drop to command prompt
run “nslookup” and type:
server [ip address of your pfsense box]
server.url.com (or whatever)
what results do you get?
Exactly, except on a few, where I also have a rewrite condition in the apache/nginx config where it redirects internal IP reuqests to the public URL too. Those are not reacheable at all ath the moment.
My client alls gets the PFSense IP as DNS.
My PFSense gets:
Unbelievable how one small setting can create a whole troubleshoot marathon…even after setting it back.
What address did server.url.com (obviously your url) resolve to from the pfsense bix? As you did above with google.com? Is it correctly resolved external/internal ip
Yes, it’s my correct external IP. It work with “domain.com” and all subdomains for the services, like “service.domain.com”
Pure NAT maybe NAT settings? with enable automatic outbound nat for reflection?
Could you elaborate the points a bit more?
Also maybe worth running traceroute to confirm it is getting blocked at he router.
Thanks for your help!
I got it working by setting hostoverrides for all “services.domain.com” urls and pointing them to my reverse proxy. But I am still very confused as to why I had to do that, since the only thing I changed was “System --> General Setup --> DNS to Cloudflare”. I never had to make the override entries.
I deactivated the DNS cache in the ISP router too after changing the DNS in PFSense. So maybe after I switched DNS and deactivated the cache, that’s the reason it wasn’t working anymore even after reversing my setting. Could that be plausible, that those requests were cached the whole time?
Also as a follow up question:
Now that I use Cloudflare DNS and they Support SSLDNS, is it enough to set “Services --> DNS Resolver --> EnableSSL/TLS Service” to switch to it?
I just had a very similar issue…the culprit was the ISP modem. What is the brand, model, and firmware version of the ISP modem??
My setup is identical to yours…utilizing DMZ on the ISP Actiontec modem. Let me know brand, model, anf firmware version.
It’s a Siligence SAS modem, which is a daughter company of ASUS, but the thing is a real piece of crap. There are so many functions not even working…full of bugs.
Not the same…mine is an Actiontec. The ISP actually downgraded the firmware to a version that intentionally, or unintentionally, blocked the entire 1.x.x.x domain. I got the issue resolved but took forever to get to the right team to make the change.