That traffic is now allowed and now showing success in subsequent query.
Additional:
Firewall > NAT
Port forward set to that NAT private IP of my server using alias only allowing port 80 and 443.
Outbound NAT Mode set to Automatic
System>Advanced>Firewall & NAT
NAT Reflection mode for port forwards = PureNAT
Enable NAT Reflection for 1:1 NAT (not checked)
What am I seeing here with these logs of this private NAT ip address of my server trying to navigate to it’s own web service? Typical Ubuntu Linux activity that ends up going out to the internet and right back at itself? Bot? I thought maybe the wordpress admin webUI but I’ve been able to use it to login without issue (maybe it fails first then gets around failure via domain name and routing outside then back in?).
Not that I could tell. website server over the interwebz, I can log into the wordpress admin GUI, I can ssh in from LAN.
When set to block, that firewall ruleID (been meaning to make a lookup table of them so I get the plain name) is the firewall ‘deny DMZ to private addresses’.
I’m going to ssh in and have it ping itself with and without the allow rule for itself- after my fail2ban clears my IP as I just banned myself…
Only thing I can think of is that LAMP box is denying traffic from localhost => interface IP, so it’s going out to the router and coming back as interface IP => interface IP.
But idk why it would be communicating with itself that way. Maybe it’s making API calls?
can’t make sense of it, as now that it’s allowed it just keeps trucking by 2s. Meaning the source port goes up by 2 each contact. (ex: 39924, 39926, 39928, 39930 ex).
Ah yeah, so since there’s no switch, everything goes to the router, even if it would normally just bounce back on a switch. To replicate a switch, you could allow all in/out traffic on the same interface.
That said, I’m pretty sure sending traffic to and interface port is usually handled internally by the OS, but I don’t remember precisely.
My guess is API calls, but you’d have to inspect (and decrypt) the packet to know for sure.
Neat, so that explains why its even making it to the router to be logged vs. handled at L2. I’m going to poke at logs to see if this is some typical service to check one-self’s 443- likely some default/standard wordpress feature to notify one if the site is down?
Could it be DNS? If some part of the server is trying to connect to another part using the domain name, and that domain name resolves to your public IP, then that traffic would try to go out the WAN and back in. In my system I have the local DNS server configured so that all the public domain names resolve to their local addresses within the local network.
Oh yeah, I didn’t think about that. Would the IP in the firewall logs be pre or post NAT? Cause if it’s translating the public IP, it would appear that the private IP is talking to itself.
Punched that into a query (src_ip and dest_ip both being the private webserver IP), some of the outbound traffic from my private IP webserver is going out to port port 53 with the same time stamp as return traffic back to 443. Not perfect parity.
Looks like it reaches out and then there are a few attempts after the query to connect (I disabled the rule allowing that webserver’s private IP to talk to it’s own private IP).
Case might be closed boys! /gals/peeps/peoples. Still interesting though, why is the webserver asking DNS about itself? Maybe a typical LAMP heartbeat? Maybe I can setup the host file to stop this?
Now to finger out how to setup the DNS server as Dexter_Kane described.
Since I have some heavy hitters here, somewhat on topic but changing course, how does one grab a list of pfsense firewall rule Tracking ID and then Description? Maybe some grep magic when SSH’ed in?
Basically you just set domain overrides in the DNS resolver for all the entries you have in your external DNS server, except you use the local IP addresses. The only entries which will be tricky are for MX records or TXT records or anything like that as you’ll have to enter those manually in the custom options box.