pfSense blocking SSL connections/apps on unraid


Mlatx

Recommended Posts

I installed pfSense as a vm on unraid, and it is generally working well.  Since unriad is always on, the plan is to use this and get some cheap standalone box as a backup to pfSense.  I'm having an issue with HTTPS sites.  I have lets encrypt, nextcloud, and openvpn installed, which are the ssl related problems I am having.  At first I had an issue connecting to unraid via ssl.  I was able to solve that through this post. The rebind tag in the DNS forwarder was not working.  So I added a domain override for unraid.net.

In DNS resolver, I have added this custom text 

server:
private-domain: "unraid.net"

 

I'm not sure what that is supposed to be doing or if it's working.  Regardless, the SSL issue with logging into unraid was resolved.

 

Regarding nextcloud, it was working well with my isp router.  I have lets encrypt as a reverse proxy for accessing nextcloud at nextcloud.mydomain.net.  Also openvpn was working well.  With pfSense, I cannot access the web gui for openvpn.  I can access the openvpn server from outside my network, but no packets are being sent back and forth.  I cannot access nextcloud on either my local network for from outside.  Lets encrypt is not giving any issues in the log, so it appears the ports forwards are working correctly.  What seems to be the problem is that communication is coming in but not going out.  I can't find anything on Google on how to fix this issue.  It seems like it is a setting that needs to be addressed.  Does anyone have any suggestions?

Link to comment

Well it's always good to resolve your own problems.  When I installed pfSense, I changed my private IP scheme to 10.10 from 192.168 and one of the files in nextcloud was configured with the old IP.  So now it's working.  In case anyone is having difficulty with ssl connections on hosts/apps within unraid, I put the following info into dns resolver at the bottom for adding a host override.  I'm connecting via SSL to unraid.  

host - long chain of characters before unraid.net in your address bar
parent domain - unraid.net
IP - unraid IP address

Link to comment
  • 2 months later...
On ‎11‎/‎9‎/‎2018 at 12:33 AM, Mlatx said:

Well it's always good to resolve your own problems.  When I installed pfSense, I changed my private IP scheme to 10.10 from 192.168 and one of the files in nextcloud was configured with the old IP.  So now it's working.  In case anyone is having difficulty with ssl connections on hosts/apps within unraid, I put the following info into dns resolver at the bottom for adding a host override.  I'm connecting via SSL to unraid.  

host - long chain of characters before unraid.net in your address bar
parent domain - unraid.net
IP - unraid IP address 

 

I have the same issue and tried your solution.  However I get a long series of errors from pfSense.  Could you kindly share a screenshot or the syntax you used to get this working.  The errors I get are:

 

The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/unbound.conf:114: error: unknown keyword 'host'
    /var/unbound/test/unbound.conf:114: error: stray ':'
    /var/unbound/test/unbound.conf:114: error: stray '"'
    /var/unbound/test/unbound.conf:114: error: unknown keyword 'https'
    /var/unbound/test/unbound.conf:114: error: stray ':'
    /var/unbound/test/unbound.conf:114: error: unknown keyword '//402xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    /var/unbound/test/unbound.conf:114: error: stray '"'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'parent'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'domain'
    /var/unbound/test/unbound.conf:115: error: stray ':'
    /var/unbound/test/unbound.conf:115: error: stray '"'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'unraid.net'
    /var/unbound/test/unbound.conf:115: error: stray '"'
    /var/unbound/test/unbound.conf:116: error: unknown keyword 'IP'
    /var/unbound/test/unbound.conf:116: error: stray ':'
    /var/unbound/test/unbound.conf:116: error: stray '"'
    /var/unbound/test/unbound.conf:116: error: unknown keyword '192.xxx.xx.xx'
    /var/unbound/test/unbound.conf:116: error: stray '"'
    read /var/unbound/test/unbound.conf failed: 18 errors in configuration file

 

Thanks for your help

Link to comment
  • 3 weeks later...
On 1/21/2019 at 4:35 PM, Do2a-2d said:

 

I have the same issue and tried your solution.  However I get a long series of errors from pfSense.  Could you kindly share a screenshot or the syntax you used to get this working.  The errors I get are:

 

The generated config file cannot be parsed by unbound. Please correct the following errors:
    /var/unbound/test/unbound.conf:114: error: unknown keyword 'host'
    /var/unbound/test/unbound.conf:114: error: stray ':'
    /var/unbound/test/unbound.conf:114: error: stray '"'
    /var/unbound/test/unbound.conf:114: error: unknown keyword 'https'
    /var/unbound/test/unbound.conf:114: error: stray ':'
    /var/unbound/test/unbound.conf:114: error: unknown keyword '//402xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    /var/unbound/test/unbound.conf:114: error: stray '"'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'parent'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'domain'
    /var/unbound/test/unbound.conf:115: error: stray ':'
    /var/unbound/test/unbound.conf:115: error: stray '"'
    /var/unbound/test/unbound.conf:115: error: unknown keyword 'unraid.net'
    /var/unbound/test/unbound.conf:115: error: stray '"'
    /var/unbound/test/unbound.conf:116: error: unknown keyword 'IP'
    /var/unbound/test/unbound.conf:116: error: stray ':'
    /var/unbound/test/unbound.conf:116: error: stray '"'
    /var/unbound/test/unbound.conf:116: error: unknown keyword '192.xxx.xx.xx'
    /var/unbound/test/unbound.conf:116: error: stray '"'
    read /var/unbound/test/unbound.conf failed: 18 errors in configuration file

 

Thanks for your help

Just delete "https://" from your host! You must write just the long alphanumeric string!

Please see Mlatx post above!

Link to comment
  • 11 months later...
On 11/9/2018 at 12:33 AM, Mlatx said:

Well it's always good to resolve your own problems.  When I installed pfSense, I changed my private IP scheme to 10.10 from 192.168 and one of the files in nextcloud was configured with the old IP.  So now it's working.  In case anyone is having difficulty with ssl connections on hosts/apps within unraid, I put the following info into dns resolver at the bottom for adding a host override.  I'm connecting via SSL to unraid.  

host - long chain of characters before unraid.net in your address bar
parent domain - unraid.net
IP - unraid IP address

 

Hi,

 

I have IDENTICAL problem to yours. But your solution didn't work me.

I need help.

I used to have TP-Link router and accessing https://nextcloud.mydomain.com was working fine, within and outside of my home (local network). I then installed pfSense, used 10.10.x.x instead of 192.168.x.x, and my set up is:

Shortly after I installed pfsense, I could not access https://nextcloud.mydomain.com any longer, until I found something interesting. When I was using browsers with VPN this happened:

It's obvious that IPs are being blocked/blacklisted somewhere. BUT WHERE?

 

I looked on nextcloud's mysql table oc_bruteforce_attempts, and deleted all entries. No changes to above scenario.

I do not have any add on packages installed on pfsense.

 

Any ideas where IPs are blacklisted?

Edited by emod
Link to comment
6 minutes ago, emod said:

Any ideas where IPs are blacklisted?

If you're using PfBlockerNG on Pfsense, make sure you don't block the GEOIP regions where you wanna access your server from.

 

Every traffic marked blue is blocked and only access from germany is allowed in this example.

You have to unselect every region you want to allow access from.

 

grafik.thumb.png.f60e821a7e9836dc2bcca7ed856ac0dc.png

Link to comment
2 minutes ago, bastl said:

If you're using PfBlockerNG on Pfsense, make sure you don't block the GEOIP regions where you wanna access your server from.

 

Every traffic marked blue is blocked and only access from germany is allowed in this example.

You have to unselect every region you want to allow access from.

 

grafik.thumb.png.f60e821a7e9836dc2bcca7ed856ac0dc.png

Hi,

No, I'm not using PfBlockerNG. as I mentioned, I have NO PACKAGES installed on pfsense.

Is there a place where pfsense autoblocks IPs?

Edited by emod
Link to comment
Just now, emod said:

On Snort & Suricata, these are add-on packages, which, again, I have not installed. Are you saying Snort & Suricata is somehow integrated within pfsense as a default on install of pfsense OS?

No, they are not installed on default, but lots of people using it, thats why I've asked.

1 minute ago, emod said:

How do you access firewall logs on pfsense?

Status >>> System Logs >>> Firewall

Link to comment

Solved PARTIALLY. The problem was pfSenses default firewall blocking TONS of IPs at:

Status/System Logs/Firewall..

Pfsense Default denies incredible number of IPs, but without options on how to modify it. From that interface, you can white/blacklist individal entries, but the issue is they go down to PORT-level.

 

Where can one edit "Default deny rules IPv4" on a broader level?

 

Link to comment

@emod Absolutly make sure you know what you are doin and whitelist the right IPs you wanna have access from. Keep in mind, allow access from an IP from a VPN provider allows every user using the same VPN endpoint access!!! Also this IPs might change.

 

You better watch the following video and set it up the secure way.

 

 

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.