I’m running a wildcard domain (e.g. A record for *.domain.name points to my public IP), hosted on cloudflare. I’m running a pfsense firewall which does port forwarding to the home server’s private IP for 443, and then the server has an instance of traefik 1.7 running on docker which sends incoming traffic for various subdomains to the proper services. If I completely bypass DNS on the PFSense (e.g. forwarding w/o any host overrides) and assign 22.214.171.124 as the DNS servers in System / General / DNS Server Settings on the PFSense, everything works fine, LAN clients query DNS via 126.96.36.199, cloudflare assigns SSL certs to the wildcard domain, and this gets sent to the proper service based on subdomain via traefik. Part of the reason I’m using dns forwarding is that using the pfsense as a DNS resolver was highly idiosyncratic, which I suspect was probably due to some limitations preventing access to root resolvers (perhaps ISP?). I haven’t done a deep dive as to why this is the case as things generally seem to be working fine without it.
The one problem is that this also forces all network traffic which originates within my LAN to go out to the internet and then come back into the network via WAN port on my pfsense. This is incredibly inefficient for things like nextcloud and video streaming via jellyfin, and has been causing performance issues, and wasting internet bandwidth unnecessarily. It seems sensible to simply set up a host override for those subdomains (e.g. jellyfin.domain.name).
However, as soon as I set up host overrides, those services fail with http 302, which I believe is an issue with the SSL cert.
Is there some way I should have my PFSense configured to cache or cooperate with cloudflare on SSL CA somehow? Has anyone else had this issue and found a viable workaround?