Need help with port forwarding setup

Started by open2bsafe, January 08, 2025, 10:36:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2025, 10:36:33 PM
For a local host port forwarding to be both accessible inside and outside, I have some issue.

If I use my mobile phone mobile network, I can access the server without issue, with correct SSL certificate.
This server has a certificate and using DDNS for domain name lookup.

However, things don't work from here.

1. From Interfaces->Diagnostics->Trace Route, the server host name return the local address (192.168.x.x), versus the external address.
2. From a local client machine, I pint the server, and I got domain name not found.
3. When I edit local client's network settings to use Google's DNS 8.8.8.8, I see the machine, but I got "rebinding DNS attack message", and the certificate is an OpnSense generated, not my host's certificate
4. I played with port forwarding reflection->enabled, or override, etc., without much success, either getting to see OpnSense WEB GUI config vs. my server, or re-binding attack notice, or not working (I enable OpnSense GUI only for LAN in the System settings).
5. Restarts does not help
6. When using Netskope VPN on one client machine, I tried to access the DMZ server, without success.  When I ping it, it shows the "local" 192.168.x.x address instead.  However, I was able to use the IP (numeric) address and see the site with security warning due to the SSL certificate issue.

If I change "hosts" file to use local address, everything would work.  But this is not a good option (just for testing), because I don't have access to this file, such as android devices, etc.

The configuration is somewhat similar to PFSense.  With PFSense, I managed to get "outside" to work property, but internal, I have to use the raw IP, which is fine.

Somehow with OPNSense, external network appears to work with mobile phone network, but not Netskope.  PFSense works externally.

Thanks.



January 08, 2025, 11:00:24 PM #1
Add a host override in Unbound DNS (presumed you're using Unbound) and point it to the local IP of the server.

Remember to flush the clients DNS cache before testing again.
January 08, 2025, 11:57:13 PM #2
Thank you.  I had something like that before.  I am doing it again, but with the flush DNS cache.  I am not sure the correct way, but I checked the box for "Flush DNS Cache during reload" in General setting, Apply, and Restart the server.  That didn't work though.

Locally, I still have this message:

"A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration"

And the SSL certificate is still the generated one from OPNSense.

Accessing via Netskope still does not work (site can't be reached).  It still points to local address, not the external address.

Accessing via Phone's mobile network still works fine.

January 09, 2025, 12:07:13 AM #3
I meant, flushing the DNS cache on the client computer, from which you access the server.

Quote from: open2bsafe on January 08, 2025, 11:57:13 PMLocally, I still have this message:

"A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration"

And the SSL certificate is still the generated one from OPNSense.

This indicates, that the host name resolves to the WAN IP. Hence either the host override is wrong or the WAN IP is still in the DNS cache.
Just do an nslookup to get sure, that the host override works. Note that this does a new lookup, while the browser still may use the caches DNS records. Also consider the delete the browsers history, since the browser may cache IP resolutions on its own.
January 09, 2025, 12:24:48 AM #4
If the certificate is from OpnSense, them you obviously missed to set OpnSense's port to something different than 443 and still try to use that port for forwarding. So the certificate you get is the one from the OpnSense GUI.

You should use a different port for OpnSense, then port-forward port 443 with reflection to your internal machine, which hopefully handles TLS by itself. You could also open port 443 and then use a reverse proxy like Caddy or HAproxy for TLS termination. There are guides in the tutorial section on how to do this.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
January 09, 2025, 12:37:12 AM #5
[update]

When I add the override, a local machine cannot get to the server (ping says could not find the host ..., please check the name and try again).

With Netskope VPN, it does not work either. However, when I disabled/deleted the override, I was able to get to the server without "www" in front with Netskope VPN.  It still does not work with www.<mysever...>.com

When I ping with  the client that has Netskope VPN, it shows the external IP for for the host name without "www", and it shows the "local" IP for the host name with the "www".

Did I set up something wrong somewhere?

Let me try to flush the client DNS cache and see how it goes.
January 09, 2025, 12:43:13 AM #6
Good news!  When flush the cache on the client with Netskope VPN, I am able to get to the server with or without "www" in front.  This is with the overrides disabled.

When the overrides are enabled (I just made sure to have two overrides, with and without "www", versus using *), flushing the dns and pinging would timeout.
Print
Go Up Pages1
User actions