blaine07 Posted December 4, 2019 Share Posted December 4, 2019 I posted this on Reddit, too, but forgive me for reaching out here too. Good Evening, Hoping someone can get me pointed in the best direction possible. Going to try to outline my setup best as possible but it’s possible I’ll leave something out. -PFSense- 192.168.1.1(DNS Resolver ON/ DNS Forwarder OFF)(DHCP DNS being handed out is Pi-Hole address below) -Unraid Server- 192.168.1.5 -Pi-Hole- 192.168.1.55 -Letsencrypt- On Unraid Network Proxynet 172.18.0.0/16 -Proxied Services- all on “Proxynet” defined above. -Proxied services all going through Cloudflare CDN then to my WAN IP via way of A Record. Apps in question: Bitwarden, Nextcloud/Collbora, Guacamole and Emby. I have my reverse proxy all set up, seemingly fine. Can browse to nextcloud.domain.net and get to NC etc. So what I need help with... I can’t for life of me figure out how to SplitDNS with my setup configured like this. I’ve tried setting up NAT a kazillion ways pointing the above, nextcloud.domain.net etc, to 192.168.1.5 and no dice. With NAT it doesn’t let me predetermine port numbers? I’ve tried messing with port forwards from and to different interfaces as well and just can’t figure it out . The port numbers coming into Letsencrypt are are 180/1443. I have also been setting up a Host Override in DNS Resolver in PFSense to no avail, as well. All my DNS hit Pi-Hole and it has conditional forwarding to forward local domain stuff back to PFSense to be resolved but obviously my FQDN of reverse proxied stuff it doesn’t catch. In PFSense>System>Advanced>Firewall & NAT I currently have Nat Reflection mode to “Pure NAT”, but I’ve also tried NAT + Proxy as well, too, without success. I’ve also wondered if I have issues here because I have my Proxied Apps hitting Cloudflare CDN and from Cloudflare being A Recorded to my PfSense instance. So perhaps Cloudflare being involved is why PFSense NAT can’t pick up on the fact these services at my domain are local? So, what do I need? Any and ALL advice if anyone has a similar setup or has gone through figuring this out? Pointers? Tips? When messing with NAT myself which exact IP and PORT should I be pointing to for services, despite actual services being on different ports on Unraid? Please. Help. Before. I. Go. Crazy. Lol Thanks! Quote Link to comment
blaine07 Posted December 5, 2019 Author Share Posted December 5, 2019 Any suggestions? Anything? Quote Link to comment
blaine07 Posted December 5, 2019 Author Share Posted December 5, 2019 Somebody surely must have some suggestion(s)? Sad day Quote Link to comment
ijuarez Posted December 7, 2019 Share Posted December 7, 2019 I’ve read your post a couples of times but it’s not clear to me what you want to do?Why do you have the pi doing the dhcp instead of pfsense. Sent from my iPhone using Tapatalk 1 Quote Link to comment
blaine07 Posted December 7, 2019 Author Share Posted December 7, 2019 I’ve read your post a couples of times but it’s not clear to me what you want to do? Why do you have the pi doing the dhcp instead of pfsense. Sent from my iPhone using TapatalkPi-Hole is only doing DNS. What I’m trying to accomplish: working NAT for local hosted Subdomains. What I think problem is: Pihole not making PFSense aware of subdomains locally hosted OR Pfsense not automatically picking up on NAT because Cloudflare is proxying connections before forwarding back to local server/services. Quote Link to comment
ijuarez Posted December 7, 2019 Share Posted December 7, 2019 Pi-Hole is only doing DNS. What I’m trying to accomplish: working NAT for local hosted Subdomains. What I think problem is: Pihole not making PFSense aware of subdomains locally hosted OR Pfsense not automatically picking up on NAT because Cloudflare is proxying connections before forwarding back to local server/services. Ah!I don’t use the pi-hole but what you’ll need is a dns resolver, I use pfsense but employ dns resolver and dns forwarder that’s how I get it to my proxied apps from within my network.Also you may google hair pinning on pfsense that may help you out. Sent from my iPhone using Tapatalk Quote Link to comment
blaine07 Posted December 7, 2019 Author Share Posted December 7, 2019 Ah! I don’t use the pi-hole but what you’ll need is a dns resolver, I use pfsense but employ dns resolver and dns forwarder that’s how I get it to my proxied apps from within my network. Also you may google hair pinning on pfsense that may help you out. Sent from my iPhone using Tapatalk What does employ dns run on? Yeah I figured out with Pi-Hole how to forward domains to unraid server(IP) BUT Letsencrypt listens on port 180 and 1443 and forwarding with Pi-Hole I can’t specify port. Any info you could provide about Employ dns would be appreciated! I’ve even tried setting up another reverse proxy on unraid, to locally forward, but it won’t let me use it on ports 80/443 so just seem to be jammed up every which way I turn. EDIT: I’m a idiot. You USE Resolver AND Forwarder on PFSense. At any rate, yet please provide any and all relevant details. Maybe I’ll have to take Pihole out of loop and just use pfBlocker only instead I guess I didn’t think it was suggested to run both Forwarder and Resolver though? EDIT2: yeah with Cloudflare in between I’ve tried PFSense NAT+Proxy but failed every which way I’ve tried it. Quote Link to comment
ijuarez Posted December 7, 2019 Share Posted December 7, 2019 What does employ dns run on? Yeah I figured out with Pi-Hole how to forward domains to unraid server(IP) BUT Letsencrypt listens on port 180 and 1443 and forwarding with Pi-Hole I can’t specify port. Any info you could provide about Employ dns would be appreciated!I’ve even tried setting up another reverse proxy on unraid, to locally forward, but it won’t let me use it on ports 80/443 so just seem to be jammed up every which way I turn. Sorry for the employ phrase. What I meant is I use pfsense dns resolver and forwarder. You don’t have to use 180/1443 for the container you can use anything else as long the external stay 80/443. Sent from my iPhone using Tapatalk Quote Link to comment
blaine07 Posted December 7, 2019 Author Share Posted December 7, 2019 Sorry for the employ phrase. What I meant is I use pfsense dns resolver and forwarder. You don’t have to use 180/1443 for the container you can use anything else as long the external stay 80/443. Sent from my iPhone using TapatalkYeah not sure I’m prepared to change all the ports up and have to reset up all the subdomain.conf files. Can you please explain more(see my idiot edits above LOL) about how you are using both Resolver and Forwarder? Would you recommend maybe I just take Pihole out of equation? Could you show screen shots of your settings for Resolver and Forwarder and DNS Settings under General Setup? Pm me maybe if you don’t want redacted info in public? Quote Link to comment
ijuarez Posted December 7, 2019 Share Posted December 7, 2019 Sorry for the employ phrase. What I meant is I use pfsense dns resolver and forwarder. You don’t have to use 180/1443 for the container you can use anything else as long the external stay 80/443. Sent from my iPhone using Tapatalkhttps://nguvu.org/pfsense/pfsense-baseline-setup/Look at the parts were this guy use the resolver and forwarderSent from my iPhone using Tapatalk Quote Link to comment
ijuarez Posted December 7, 2019 Share Posted December 7, 2019 Yeah not sure I’m prepared to change all the ports up and have to reset up all the subdomain.conf files. Can you please explain more(see my idiot edits above LOL) about how you are using both Resolver and Forwarder? Would you recommend maybe I just take Pihole out of equation? Could you show screen shots of your settings for Resolver and Forwarder and DNS Settings under General Setup? Pm me maybe if you don’t want redacted info in public? I took my pi-hole because it kept dying or freezing up. It was never because I could not configure the reverse proxy stuff. Sent from my iPhone using Tapatalk Quote Link to comment
blaine07 Posted December 7, 2019 Author Share Posted December 7, 2019 https://nguvu.org/pfsense/pfsense-baseline-setup/Look at the parts were this guy use the resolver and forwarderSent from my iPhone using TapatalkJust read through it. Essentially he’s doing same thing as I am currently.. well I mean using the dns Resolver for one specific network and Forwarder for another network. I’m currently using Pihole for adult network and pfBlocker for kids network. Not sure using dns Resolver and Forwarder how he is would help me any though... goodness one wouldn’t think this would be this hard Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.