Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Just trying to forward 443 to an internal server

    Scheduled Pinned Locked Moved NAT
    55 Posts 4 Posters 9.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @combat_wombat27
      last edited by

      @combat_wombat27 it can't but you can for sure access your pfsense from the lan via its wan IP, etc..

      If you send traffic to say port 4443 and you don't see it on your sniff test on wan, then there is no possible way you can send that traffic anywhere - because pfsense never saw it..

      Validate your pfsense wan is actual public IP, and not rfc1918 or cgnat range - 100.64-127.x.x

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • C
        combat_wombat27 @johnpoz
        last edited by

        @johnpoz 00d831c6-6c36-4127-b47f-f4b44751422e-image.png
        fe8ebdf5-3456-4a55-84d4-e163431f42fe-image.png

        Here are my packet capture settings for reference in case I did it wrong.

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @combat_wombat27
          last edited by johnpoz

          @combat_wombat27 no that looks correct.. If your not seeing anything with that sniff, then its not possible for pfsense to forward what it doesn't see

          edit: I just tried to access 443 from the IP your connecting to forum with, and get no response..

          nogui.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          C 2 Replies Last reply Reply Quote 0
          • C
            combat_wombat27
            last edited by

            @johnpoz So that is what I'm saying. It was able to see the traffic when the Web Gui was set to 443 just fine. It is only now that it is having issues. Gimme a sec and I'll check the WAN.

            1 Reply Last reply Reply Quote 0
            • C
              combat_wombat27 @johnpoz
              last edited by

              @johnpoz Wait, if I'm reading this right I DO see 443 traffic. I was reading it wrong. I was reading the number after TCP as port. Not the extra octet on the IP. Let me scan internally now

              1 Reply Last reply Reply Quote 0
              • C
                combat_wombat27 @johnpoz
                last edited by

                @johnpoz 209c4fe2-496b-4367-9496-eef7270e6885-image.png

                Here is what I'm seeing on the LAN when I run a packet capture and open port checker.

                Keep in mind I can get to the web server on 443 just by going to https://192.168.1.4 and it loads without question. I've also tried this with the firewall off.

                Also just checked, and the WAN is listing the expected external IP Address.

                C johnpozJ 2 Replies Last reply Reply Quote 0
                • C
                  combat_wombat27 @combat_wombat27
                  last edited by

                  @combat_wombat27 If I'm reading this correctly though this is just showing me traffic of people going to https sites, not something external accessing an internal https site.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @combat_wombat27
                    last edited by

                    @combat_wombat27 You need to make sure your sniffing for what your wanting to sniff for, or increase number of packets you capture from the default 100.

                    I see no traffic "to" 192.168.1.4 port 443, I only see traffic too some public IP on 443 from that picture.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    C 1 Reply Last reply Reply Quote 0
                    • C
                      combat_wombat27 @johnpoz
                      last edited by

                      @johnpoz okay, I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443. So if I'm understanding properly it is hitting the firewall and not making it past.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @combat_wombat27
                        last edited by

                        @combat_wombat27 said in Just trying to forward 443 to an internal server:

                        I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443

                        You can not see the internal IP on WAN. This could only be seen on LAN behind NAT.

                        Simply filter your capture for " > [WAN IP]:443" in the browser.

                        C 1 Reply Last reply Reply Quote 0
                        • C
                          combat_wombat27 @viragomann
                          last edited by

                          @viragomann No, that is regarding the internal packet capture to see if the traffic made it inside the network. If you check my replies above you will see where I DID see the packets hit the firewall externally.

                          johnpozJ V 2 Replies Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @combat_wombat27
                            last edited by johnpoz

                            @combat_wombat27 please post your port forward and wan rules, do you have any rules in floating? If so post them as well.

                            So you know what IP your testing from, say in the sniff on your wan and the can you see me IP.

                            Now filter on your lan side for this IP and port 443 in your packet capture..

                            If you say its hitting your wan but not forwarding it, then you have wrong setup in the rules/port forward, or pfsense does not know the mac address of the device your trying to forward too..

                            Like you saw my test port forward and wan rules.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @combat_wombat27
                              last edited by

                              @combat_wombat27 said in Just trying to forward 443 to an internal server:

                              If you check my replies above you will see where I DID see the packets hit the firewall externally.

                              Yes, but I cannot see any confirmation that you even get the packets on WAN.
                              I was assuming that before based on your first posts, but now I'm not sure anymore.

                              C 1 Reply Last reply Reply Quote 0
                              • C
                                combat_wombat27 @viragomann
                                last edited by

                                @viragomann It's pretty simple. There is a pic showing the external packets hitting my external IP on 443. That said, I marked out the external IP address.

                                V 1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann @combat_wombat27
                                  last edited by

                                  @combat_wombat27
                                  In this capture 35.x.x.x might be your WAN and it shows also response from it from port 443.
                                  Regarding this it should work well at all. Or did you disable the port forwarding again and is it pfSense responding here?

                                  C 1 Reply Last reply Reply Quote 0
                                  • C
                                    combat_wombat27 @viragomann
                                    last edited by

                                    @viragomann No that is not our WAN, nor is it any IP subscribed to our network or firewall internal or external. That is an internal 192 computer talking out to the web. I am not seeing the expected traffic to 192.168.1.4 on 443 as shown in the example images from Johnpoz

                                    V 1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann @combat_wombat27
                                      last edited by

                                      This post is deleted!
                                      C 1 Reply Last reply Reply Quote 0
                                      • C
                                        combat_wombat27 @viragomann
                                        last edited by

                                        @viragomann He has talked about both a packet capture on the LAN and WAN side. I've offered proof that the packets ARE reaching the firewall on the WAN side, and that those packets AREN'T making it to the server on the LAN side.

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @combat_wombat27
                                          last edited by

                                          @combat_wombat27 said in Just trying to forward 443 to an internal server:

                                          I've offered proof

                                          Where did you offer this - I see no packet capture showing traffic hitting your wan on 443..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          C 1 Reply Last reply Reply Quote 0
                                          • C
                                            combat_wombat27 @johnpoz
                                            last edited by

                                            @johnpoz Okay, I really feel like I'm going crazy here. I would have sworn I saw the packet trace show the firewall received the packets and pasted a screenshot in chat. That must have been inaccurate as I don't see anything. That said, if packets weren't making it to the WAN side interface then how am I able to open up the Web GUI on 443 when enabled.

                                            C 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.