Just trying to forward 443 to an internal server
-
@jarhead Okay, I did as requested and the site is still unavailable externally.
-
@combat_wombat27 Interesting. How about trying a different external port forwarded to the server on 443?
Alternatively you can change the port on the server itself but I would try a different external port just for testing.
Do you have any other NAT's? Curious if it's just 443 or all ports not working. -
@jarhead Okay, I just tried 4443 and it has made no difference. I can't leave this permanently as it is for the proper workings of a standard RDP Gateway, but at least for testing I can. It hasn't worked. Also, I don't have any other ports forwarded to compare with.
-
@combat_wombat27 You might wanna try the previous advice of windows firewall. Just turn it off altogether for testing only.
Try a port scanning site like GRC Shields Up to see if it shows the port open. Can imagine it would but can't hurt to try.
Were you able to access pfSense on 443?
-
@jarhead I still disagree that it has anything to do with this, but that said I have already tried and it made no difference.
-
@combat_wombat27 Just to be sure, when you changed to 4443, you did add that port to the URL, correct?
-
@jarhead Yes, https://externalip:4443
-
@combat_wombat27 Sorry, but had to ask.
Did you reboot pfSense after changing it's web port? Shouldn't have to but the NAT you have should be working also so... couldn't hurt.
Any chance you have anything else on your LAN you can forward a port to for testing? Just trying to see if NAT is working at all.
Had a weird trouble not too long ago and just recreating the NAT fixed it. I think that was because the user was changing so many things it got a little loopy but it did fix it. Worth a shot.
-
@jarhead I appreciate the reply. I rebooted the firewall at 5 PM yesterday and it has made no difference for me. I have also completely deleted and recreated the rules yesterday as well. Finally, I'm not sure what I would use on what port to help testing.
-
@combat_wombat27 so with any port forward you should validate traffic is actually getting to pfsense wan to be able to forward it.
Go to say can you see me . org, put in your port your wanting to forward.
Now sniff on pfsense wan for that port.. Do you see it get there?
example, testing with 4443
If you see the traffic get there, then sniff on your lan side interface.. Do you see pfsense send it on?
So here setup forward 4443 to box on my lan network 192.168.9.100
You can see that pfsense sent it on, now my pc answered with a RST what this is 9.100 saying go away, not listening on that port.. But the thing you want to be most interested in is that did pfsense send that traffic on to your 192.168 address you forwarded too. If it did, then pfsense did what you told it to do. And if not working, then not a pfsense issue, local firewall, wrong gateway on device your forwarding too, etc..
Also you can notice the firewall rule on wan is now seeing traffic 0/200 B means that rule has been evaluated. If your just seeing 0/0 after you have sent traffic this means that rule has not been even evaluated to let traffic in, maybe you have a floating rule? etc..
-
@johnpoz when enabled on 443 I can externally get to the pfsense web interface, but when I swap it and try the port forward I get nothing. Specifically I don't even see packets in the packet capture relating to 443.
I noticed this rule didn't have any traffic this whole time, but I'm not sure what to make of it.
I know I'm using the right IP address to access it. -
@combat_wombat27 do simple sniff test.. Do you see your port hit your wan? If so then sniff on your lan - do you see it send it on or not?
Finding where you have your problem should take all of about 30 seconds..
If you want to forward 443, its a good idea to make sure pfsense web gui is not using 443, but some other port.. I have pfsense web gui https on 8443 for example.
-
@johnpoz Sorry, I must have not been clear. When I ran that on the open port check tool I also did a little packet capture. I didn't see any 443 traffic in it whatsoever.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I didn't see any 443 traffic in it whatsoever.
then its not getting to you - how can pfsense forward what it doesn't see.
What do you have in front of pfsense - is it doing nat? Is your isp using cgnat, ie does your wan IP of pfsense start with 100.64-127.x.x
-
@johnpoz understood, but how can it show me the web UI on 443 if it can't receive packets on 443?
-
@combat_wombat27 it can't but you can for sure access your pfsense from the lan via its wan IP, etc..
If you send traffic to say port 4443 and you don't see it on your sniff test on wan, then there is no possible way you can send that traffic anywhere - because pfsense never saw it..
Validate your pfsense wan is actual public IP, and not rfc1918 or cgnat range - 100.64-127.x.x
-
Here are my packet capture settings for reference in case I did it wrong.
-
@combat_wombat27 no that looks correct.. If your not seeing anything with that sniff, then its not possible for pfsense to forward what it doesn't see
edit: I just tried to access 443 from the IP your connecting to forum with, and get no response..
-
@johnpoz So that is what I'm saying. It was able to see the traffic when the Web Gui was set to 443 just fine. It is only now that it is having issues. Gimme a sec and I'll check the WAN.
-
@johnpoz Wait, if I'm reading this right I DO see 443 traffic. I was reading it wrong. I was reading the number after TCP as port. Not the extra octet on the IP. Let me scan internally now
