[Solved] Accessing an internal webserver

[jl_678]

Update: See last post for the simple solution

Hi,

I just installed Opnsense and things are working well.  However, I have encountered an unexpected issue.  Here is what I am seeing:

I used named-based web-hosting and so my external hostname is both foo.bar.com and foo2.bar.com.  These go to the same server and Apache uses the DNS to send me to the right site and SSL is in use.

If I am on an external network, I can access foo2.bar.com without an issue.  This is through port 443 and https, and I have a rule setup allowing access to an internal server say 10.0.0.20.

The problem occurs if I am on my internal network.  Now, let's say that I want to access the foo2.bar.com SSL site on 10.0.0.20.  The first thing that I try is to go to foo2.bar.com.  However, this does not work.  I think that the problem is due to DNS resolving the public IP and then Opnsense trying to send the GUI which creates an error.  Going to https://10.0.0.20 does not work because it provides the foo.bar.com website and not foo2.bar.com.

I tried changing the GUI to a different port and now the internal requests to foo2.bar.com time out.  What can I do to enable access to foo2.bar.com?

Thank you!

[bartjsmit]

Run an internal DNS server and provide split DNS https://en.wikipedia.org/wiki/Split-horizon_DNS

Bart...

[jl_678]

Okay, I will explore that.  Thank you. 

For future reference, I created a temporary workaround.  Specifically, I enabled port-based web-hosting for foo2.bar.com.  In this scenario, I created another vHost inside of Apache and set foo2.bar.com to be accessible by going to https://10.0.0.20:8080.

This is not the ideal solution and is a bit of a hack.  I will look at the internal DNS server option.

Thank you.

[BertM]

jl_678

No need to use internal DNS server.
The trick is to use NAT reflection in your port forwarding config.

See description in this post:
https://forum.opnsense.org/index.php?topic=6155

Kind regards,
Bert

[jl_678]

Unfortunately, the NAT reflector thing did not work for me. I have no idea why. I posted on that thread.

[jl_678]

Hi,

So I was exploring the dual DNS thing and it was really easy to implement.  You simply go to your DNS settings (either DNS Masq or Unbound) and set an override for the internal webserver.  In my example, it looked something like this:

host: foo2
domain: bar.com
(for Unbound) -> Type A
IP: 10.0.0.20

With those settings, it worked perfectly and there was no need to change the GUI port or anything.

[Deku2]

Didn't work for me as it doesn't do the port forwarding aspect.  Can't figure out how to access my site from inside   
This didn't work either: https://forum.opnsense.org/index.php?topic=6155.0