Just trying to forward 443 to an internal server
-
@combat_wombat27 it can't but you can for sure access your pfsense from the lan via its wan IP, etc..
If you send traffic to say port 4443 and you don't see it on your sniff test on wan, then there is no possible way you can send that traffic anywhere - because pfsense never saw it..
Validate your pfsense wan is actual public IP, and not rfc1918 or cgnat range - 100.64-127.x.x
-
Here are my packet capture settings for reference in case I did it wrong.
-
@combat_wombat27 no that looks correct.. If your not seeing anything with that sniff, then its not possible for pfsense to forward what it doesn't see
edit: I just tried to access 443 from the IP your connecting to forum with, and get no response..
-
@johnpoz So that is what I'm saying. It was able to see the traffic when the Web Gui was set to 443 just fine. It is only now that it is having issues. Gimme a sec and I'll check the WAN.
-
@johnpoz Wait, if I'm reading this right I DO see 443 traffic. I was reading it wrong. I was reading the number after TCP as port. Not the extra octet on the IP. Let me scan internally now
-
Here is what I'm seeing on the LAN when I run a packet capture and open port checker.
Keep in mind I can get to the web server on 443 just by going to https://192.168.1.4 and it loads without question. I've also tried this with the firewall off.
Also just checked, and the WAN is listing the expected external IP Address.
-
@combat_wombat27 If I'm reading this correctly though this is just showing me traffic of people going to https sites, not something external accessing an internal https site.
-
@combat_wombat27 You need to make sure your sniffing for what your wanting to sniff for, or increase number of packets you capture from the default 100.
I see no traffic "to" 192.168.1.4 port 443, I only see traffic too some public IP on 443 from that picture.
-
@johnpoz okay, I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443. So if I'm understanding properly it is hitting the firewall and not making it past.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443
You can not see the internal IP on WAN. This could only be seen on LAN behind NAT.
Simply filter your capture for " > [WAN IP]:443" in the browser.
-
@viragomann No, that is regarding the internal packet capture to see if the traffic made it inside the network. If you check my replies above you will see where I DID see the packets hit the firewall externally.
-
@combat_wombat27 please post your port forward and wan rules, do you have any rules in floating? If so post them as well.
So you know what IP your testing from, say in the sniff on your wan and the can you see me IP.
Now filter on your lan side for this IP and port 443 in your packet capture..
If you say its hitting your wan but not forwarding it, then you have wrong setup in the rules/port forward, or pfsense does not know the mac address of the device your trying to forward too..
Like you saw my test port forward and wan rules.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
If you check my replies above you will see where I DID see the packets hit the firewall externally.
Yes, but I cannot see any confirmation that you even get the packets on WAN.
I was assuming that before based on your first posts, but now I'm not sure anymore. -
@viragomann It's pretty simple. There is a pic showing the external packets hitting my external IP on 443. That said, I marked out the external IP address.
-
@combat_wombat27
In this capture 35.x.x.x might be your WAN and it shows also response from it from port 443.
Regarding this it should work well at all. Or did you disable the port forwarding again and is it pfSense responding here? -
@viragomann No that is not our WAN, nor is it any IP subscribed to our network or firewall internal or external. That is an internal 192 computer talking out to the web. I am not seeing the expected traffic to 192.168.1.4 on 443 as shown in the example images from Johnpoz
-
This post is deleted! -
@viragomann He has talked about both a packet capture on the LAN and WAN side. I've offered proof that the packets ARE reaching the firewall on the WAN side, and that those packets AREN'T making it to the server on the LAN side.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I've offered proof
Where did you offer this - I see no packet capture showing traffic hitting your wan on 443..
-
@johnpoz Okay, I really feel like I'm going crazy here. I would have sworn I saw the packet trace show the firewall received the packets and pasted a screenshot in chat. That must have been inaccurate as I don't see anything. That said, if packets weren't making it to the WAN side interface then how am I able to open up the Web GUI on 443 when enabled.
