Stunnel from external IP

plavix · Jul 25, 2008, 9:47 PM

Right, I normally lurk and Google; but I'm getting nowhere and would really appreciate some assistance.

I have my pfsense installation with WAN/LAN/DMZ.

1. DMZ is where all NAT and rules get sent to if they come in on WAN
2. DMZ is blocked to LAN
3. LAN is allowed anywhere

I have installed Stunnel and set the Listen IP to the WAN address, port to 443 and then redirect to DMZ IP, port to 80.

1. This does work internally (LAN -> DMZ) if I address as https://mail.domain.com; as this is looking up DNS and sending the route back to WAN (the listen IP)
2. This does not work internally (LAN -> DMZ) if I address as https://192.168.x.x, which is the DMZ server IP. As I would expect as internal LAN can't traverse externally to come back in, unless NAT rules are set accordingly
3. This does not work externally (Internet -> WAN -> DMZ) if I address as https://mail.domain.com or as https://194.168.x.x (WAN IP)

I have tried

1. NAT 443 to 80 and the corresponding rule on the WAN Interface. (which obviously breaks Stunnel, as the connection it was expecting to proxy just got NATted!)
2. Removing all NAT entries and setting the rule on WAN (443 -> DMZ IP -> 80)
1. Setting 1:1 NAT to DMZ IP

Obviously pfsense is not 'listening' on port 443 on the WAN port, forcing it to do so may solve my problem. Or is this down to rules on WAN?

Any and all suggestions welcome.

plavix · Jul 27, 2008, 9:13 AM

Fixed it; I moved Stunnel to the host Windows machine running 443, 993 and 465 and pfsense is NATting.

I suspect Stunnel on PFSense is broken.