pfSense Support Subscription

Author Topic: Reaching webserver in DMZ on domain name  (Read 140 times)

0 Members and 1 Guest are viewing this topic.

Offline nelalith

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Reaching webserver in DMZ on domain name
« on: November 22, 2017, 03:27:48 pm »
Hi Guys,

I am new with Firewalls and network. So i am learning with this.
This question must be asked before but i could not find a solutions. Have tried to resolve this issue for hours... and i am giving up.. Hope someone can help me.

I have PFsense configured with a WAN, LAN and DMZ. I created a webserver in DMZ with www.webserver.com (i have a bought domainname for this). From this outside this works fine with http and https. The problem is that i cannot reach the webserver on www.webserver.com, but only with IP of the DMZ server....

I tried some things with DNS forwarder and resolver. But with no success.

I realy hope some one can help me and sorry if i placed this at the wrong topic did not know for sure.

regards,
Koen

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14443
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Reaching webserver in DMZ on domain name
« Reply #1 on: November 22, 2017, 05:18:31 pm »
setup host override to  point www.webserver.com to your rfc1918 address of your webserver in the dmz.. Done.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline nelalith

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Reaching webserver in DMZ on domain name
« Reply #2 on: November 23, 2017, 02:19:29 pm »
That is not working....

When i created that rule i get a PfSense web page with the error:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.

A frend did some config changes and created a rule that ALL the traffic was forward to www.webserver.com.

So www.google.com forwarded to www.webserver.com
www.youtube.com forwarded to www.webserver.com


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14443
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Reaching webserver in DMZ on domain name
« Reply #3 on: November 24, 2017, 04:53:06 am »
Its a simple host override..

your server sits on 192.168.1.100, create a host override either in the resolver or the forwarder which ever your using.. To point your fqdn www.domain.com to 192.168.1.100

There is no rebind attack in this scenario... There would be for sure if your public dns is pointing to a rfc1918 address?  Did you try and do that on your public dns?  Host override is done on pfsense.  So clients using pfsense get this answer.. Clients on the public internet would get whatever your public IP is for your pfsense wan address and be forwarded in.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)