OPNsense Forum

Hi guys,
I'm here asking for an hand because I'm loosing any hope.
English is not my primary language, so, from now, sorry and be patience with me  8)

Below, the scenario BEFORE OPNsense implementation.

ISP ROUTER -> port 80 and 443 forwarded to Synology NAS's reverse proxy and configurated.
Because I have some self-hosted apps, I created some DNS domain into my private domain xyz.it like NAS.xyz.it, PASS.xyz, RDP.xyz.it, and so on...
With Synology's reverse proxy all worked well.


Two weeks ago I installed my first opnSense device... put it in DMZ and configured.
Imported my XYZ.it certificate and setup HAProxy with help by several guides found online.

All is working great. externally from my network, I can reach all services I need in HTTPS


Problem are:

1) I can reach those services from Internal LAN only if I put the IP address with simple HTTP (not https). This is a problem because BitWarden (a self hosted password vault) can be reached in HTTP but when I enter my account for login it fails because it request HTTPS.

2) From outside of my network every site like PASS.xyz.it, NAS.xyz.itm, RDP.xyz.it point correctly to every respective services.
From internal network, they all goes to the same page.. for example NAS.xyz and this is getting me crazy

Please could someone help me?


Attached:
Firewall Rules (WAN and LAN)
HAProxy config




#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: Public_Portal ()
frontend Public_Portal
    bind 192.168.254.1:443 name 192.168.254.1:443 ssl  crt-list /tmp/haproxy/ssl/651c7166417473.44300382.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Nas_DSM
    acl acl_651c7797f243c0.49412538 hdr_beg(host) -i nas
    # ACL: Guacamole
    acl acl_651c701911d695.97788597 hdr_beg(host) -i rdp
    # ACL: Bitwarden
    acl acl_651c754a95cbd0.71359706 hdr_beg(host) -i pass
    # ACL: Plex
    acl acl_651c76bee6c989.69820384 hdr_beg(host) -i plex

    # ACTION: Nas_DSM
    use_backend Nas_DSM if acl_651c7797f243c0.49412538
    # ACTION: Guacamole
    use_backend Guacamole if acl_651c701911d695.97788597
    # ACTION: BitWarden
    use_backend BitWarden if acl_651c754a95cbd0.71359706
    # ACTION: Plex
    use_backend Plex if acl_651c76bee6c989.69820384

# Backend: Guacamole ()
backend Guacamole
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Guacamole 192.168.100.200:8080

# Backend: BitWarden ()
backend BitWarden
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BitWarden 192.168.100.200:5151 ssl verify none

# Backend: Plex ()
backend Plex
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex 192.168.100.200:32400 ssl verify none

# Backend: Nas_DSM ()
backend Nas_DSM
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nas_DSM 192.168.100.200:5001 ssl verify none



# statistics are DISABLED

wrong place to ask, you are not writing a Tutorial.
In short for 2.  you probably need to read up on DNS split horizon aka split dns, plus other names.

This in this section will also help you https://forum.opnsense.org/index.php?topic=34925.0

Also revise what is happening in your setup. If your request from client is resolving the name internally to the real server then the connection will go on ip (local ip) and then you can't have an https connection without a host certificate. Presently sounds like haproxy is doing TLS termination from outside clients. How do you set it up for internal?
For 2. You might have the same SNI on the front end without a way to divert each request to the different service. This one should help https://forum.opnsense.org/index.php?topic=23339.0 . They'll only answer there if you follow the tutorial like for like.

Hi,
I noticed the error section. I was reading something and forgot to move back to correct forum area.
I already requested moderator to move the topic.

I already setup DNS Override as per image attached.

What I cannot understand is why I need to touch HAProxy, outside of my network, all works great... without any issue. Every service are reached correctly.

The problem in internal network.
Is there something I can screenshot that can help?

The DNS override will send every internal request to the same place in this configuration, that is because it is only resolving a name to an ip address and all services are running on the same ip, just different port.
DNS names don't resolve to specific ports. The DNS override is skipping haproxy because haproxy is listening on the outside WAN ip. Hence These 4 overrides are no different from each other and only one can be of use.