OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Julien on February 08, 2017, 01:43:47 pm
-
Hi guys,
Today we migrated one of our customer from Pfsense to OPNsense hardware.
Our customers are using exchange local, the issue now is the webmail accessible only from outside, when the users are connect internal they can't access the webmail.domain.com so does outlook not.
the firewall rules are already configured to forward port 443 to the exchange server. and emails are working only when you connect outside the network.
can you please point me to the right direction to fix this ?
firewall rule see fine as showen on the picture
when I tracer route the webmail.domain.com internal it request time out when its reach the firewall.
thank you
-
Hey,
did u allow "ICMP" traffic? If yes, could u try to ping the ip address of the website?
If it worked try to ping again but this time try to use the Domain Name.
If its not working u need to look at your DNS Settings. :)
Btw...
did u allow outgoing DNS Traffic to the Firewall for your internal Network?
Or in other words what happens if they try to open the website by using the IP Address instead of the "webmail.domain.com" one?
Best regards
Oxy
-
Hey,
did u allow "ICMP" traffic? If yes, could u try to ping the ip address of the website?
If it worked try to ping again but this time try to use the Domain Name.
If its not working u need to look at your DNS Settings. :)
Btw...
did u allow outgoing DNS Traffic to the Firewall for your internal Network?
Or in other words what happens if they try to open the website by using the IP Address instead of the "webmail.domain.com" one?
Best regards
Oxy
thank you, somehow the DNS is not responding.
thank you
1 hr ago the dns works fine, now its not responding it , it pinging to the old DNS IP.
probably this the issue.
-
thank you, somehow the DNS is not responding.
thank you
1 hr ago the dns works fine, now its not responding it , it pinging to the old DNS IP.
probably this the issue.
No problem :)
A few things:
On System > Settings > General did u changed the DNS Server? Or deleted the wrong one if there was any?
Are u using multiple WAN connections with your OPNsense?
>>If Yes, are u using policy-based routing (Rules with gateway)
>>or are u using DNS Servers with a Gateway set in System > Settings > General?
Are u using an DNS forwarder or Resolver?
Did u checked /etc/resolv.conf? What happens when u use "cat /etc/resolv.conf" in your console?
Any DNS Server IP entry which shouldn't be there? :)
Atleast we now know thats it's a DNS problem which is always good to know. :)
-
thank you for your answer
on the
root@firewall:~ # cat /etc/resolv.conf
i see the below
nameserver 8.8.8.8
nameserver 8.8.4.4
when i go to General setting i see we are using only the 8.8.8.8 /8.8.4.4
another issue when i try to connect to the browser using our external IP it does not open, externaly it does.
DNS is is working now but can't connect to the external IP/DNS name which i beleive is a routing issue now.
on the Pfsense We used NAT Reflection which fixed this issue before.
does the OPNsense has something like for the NAT ?
see attached screenshots, which nat options to use ?
-
Can someone please advise ? as we tried many NAT rules and everything and we are out of options.
i can ping the external IP internaly when i trace route it it drop when it hit the firewall.
see the trace route
-
Hey hey,
i could be wrong but i dont think that this is the real problem here. :)
U are trying to access the webserver using port 80 or 443 within the local network.
Instead of using the webmail servers internal IP address u try to access the webmail server from external with an internal Client.
Regarding your firewall rules (not the NAT rules in this case) u are only allowed to send TCP traffic to the webmail internal ip address NOT any external connections.
>> Try change that "destination IP" to "ANY" just to test if it works
Internal Clients shouldnt even ask external DNS Servers to resolve any internal hostnames so u could try to use the "DNS forwarder" and use the "Host override" option to let internal clients talk to the webmail only by using the internal IP.
Why should any internal Client try to use the external IP Address, which btw. is nothing else than a portforward to the internal ip address of the webmail Server anyway. ;D
Maybe iam just misunderstanding your setup completely here but u should try to check your Firewall rules first or try the trick with the DNS forwarder. Maybe that helps.
If u enabled the DNS forwarder and configured an entry for your webmail hostname with its internal ip address u should also be able to see that entry in your "/etc/resolv.conf" file.
I can't really help you with the NAT reflection idea because i never had to use this option before. Sorry! :(
Just out of pure curiosity...
why did u choose to use a Google DNS Server as your primary DNS?
Why not OpenDNS or OpenNIC? :)
Best regards
Oxy
-
thank you for your answer,
the DNS google was Always there never thought to change :), can you tell me why to use opendns or anything else ? is beter than google ?
i dont mind using google or anything atleast if it does works.
i managed to fix the issue with using a split DNS,
the issue is not a OPNsense but internal DNS issue.
thank you Oxygen61 for your continue support
-
Hey hey,
Google DNS is constantly under high load. I mean it's Google but just because of that fact many people are using their services.
OpenDNS is managed by Cisco and "alot" faster than Google DNS. If u decide to register and use an account there u can also decide to use blacklists for advertisements/Weapons/pr0n/illegal stuff and so on so that your custom DNS is not resolving those websites.
readme: https://www.opendns.com/home-internet-security/
OpenNIC on the other hand is the one u should consider if u care about privacy and censorship, because it's "democratic" as far as they say.
readme: https://www.opennicproject.org/
and: https://prism-break.org/en/
Glad that u found the error. :)
Don't forget to set the post on [SOLVED] Thanks! :)
Have a nice day.
Best regards
Oxy
EDIT:
Just found the Wikipedia entry for Split-Horizon DNS.
Obviously the right decision. ;D
Use Case:
One common use case for Split-horizon DNS is when a webserver has a private IP address on a local area network, but the world accesses it at a NAT'ed public address. By using split-horizon DNS the same URL can lead to either private IP address or public IP address for different client machines.