Rule needed to access web server on another network.

[ddywz]

I need to have a PC on internal LAN (Interface1 on OPNsense) to access a confluence webserver on DMZ (interface2 on OPNsense). 

My current setup:
1. There is a rule in place that blocks all traffic from DMZ to LAN.
2. All traffic from LAN to DMZ is allowed.
3. HA-proxy is setup and all traffic from WAN gets forwarded properly based on certs to servers in DMZ.

I have no problem accessing the confluence server as https://myconfluence.mydomain from externally.

I need to have access at the same https://myconfluence.mydomain from my PC that is on LAN network.  It appears that OPNsense does not allow traffic to get out on WAN and come back for an internal server.

What rule do I need to setup to allow for this traffic only for a specific alias (IP address of my laptop) on LAN network?

Thanks,

[bartjsmit]

Does it work on the web server internal IP address?

If so, add an entry in your laptop hosts file for the FQDN to point to the internal IP.

Bart...

[ddywz]

Thanks for looking,  No, it does not work by entering IP address of the webserver.

[bartjsmit]

Just to make sure - you are entering the internal (RFC 1918) IP address of the web server, right?

You may want to have a look at your allow rule and see if there are denies in the log

2. All traffic from LAN to DMZ is allowed.

Do both your PC on the LAN and the web server have OPNsense as their default gateway?

Bart...

[ddywz]

No, there is no deny from LAN to DMZ. 

Yes, both PC on LAN and Server in DMZ use the gateways on OPNsense. 

I basically need a Loopback rule

You should be able to create loopback rules from destination NAT rules to allow internal hosts to communicate with other internal hosts over the external IP address or the domain name.

With Sophos UTM I had before I was able to accomplish this with what they call a FULL NAT rule.

Full NAT is DNAT with the Source IP/traffic also changed. 

See attachment.


How do I do this in OPNsense?

[cookiemonster]

I think there is value in going with the basics first.
If you can't get from private ip in one LAN to the other by private IP then you have to look at firewall rules only.
If you try by domain then you are adding DNS to the mix. I would leave it out for now.

You should be able to create loopback rules from destination NAT rules to allow internal hosts to communicate with other internal hosts over the external IP address or the domain name.

This bit is another layer of complexity, for later. Because if I read it correctly it is different scenario. That is LAN > WAN > DNS resolution back to you > WAN > DMZ.
But I guess you don't want to go out to open internet and then back in to get to your other interface.

[ddywz]

Yes, of course if possible, I would prefer to not get out on internet and come back to access my internal server. 

Let me give some more info on this.  This is a webserver running confluence that has a base directory as https://myserver.mydomain.com.   It can also be accessed as http://myserver:8090

I have deployed HA-Proxy in OPNsense that has all SSL certs for offloading SSL and also re-directing traffic to appropriate internal server. There is a real webserver set in haproxy where the request for https://myserver.mydomail.com maps to http://myserver:8090. All is working well when things are accessed externally. 

So I guess my question is how do I forward my request to HAproxy from an internal LAN PC?  I need to reference the SSL certs that are in the Proxy but when I type https://myserver.mydomain.com  (same as I can access extenally) I cannot access the server.   I can access from my PC in LAN the server in DMZ as http://myserver:8090  which is not the base directory for it.  It is expecting to be accessed as https://myserver.mydomain.com