Just trying to forward 443 to an internal server
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I've offered proof
Where did you offer this - I see no packet capture showing traffic hitting your wan on 443..
-
@johnpoz Okay, I really feel like I'm going crazy here. I would have sworn I saw the packet trace show the firewall received the packets and pasted a screenshot in chat. That must have been inaccurate as I don't see anything. That said, if packets weren't making it to the WAN side interface then how am I able to open up the Web GUI on 443 when enabled.
-
@combat_wombat27 even more interesting. Even though I had tested and remade my NAT rule already, I noticed the 4443 NAT as a test worked. So I just adjusted it back to 443 and it started working.
I still don't understand how I wouldn't be seeing the packets externally if they were making it at least to the firewall. Maybe someone can explain that feat to me.
Anyways, it is working currently.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I still don't understand how I wouldn't be seeing the packets externally if they were making it at least to the firewall
You were not sniffing correctly. You had a filter wrong? You had the wrong interface? etc?
So do you access the forum via the same IP? Because I don't get any response hitting that IP on 443.
But you say its working? If it was working you would see a successful test on can you see me . org
-
@johnpoz I don't think the filter was wrong as the only difference in the filter I used for testing 4443 was to change the port from 443 to 4443. From there it showed traffic on 4443 just fine. I then switched it back to 443 and did not see the packets reach the firewall.
Yes, it is working and yes I got a Success. No, we are an MSP so we are not at the site where this was being deployed.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I then switched it back to 443 and did not see the packets reach the firewall.
it is working and yes I got a SuccessWell there is piece of the puzzle missing because what your saying isn't possible - how would you access 443, if you are not seeing the traffic?
Your saying its working - so there would be state showing that, etc. If your creating a state, how would you not being seeing the traffic via a sniff - unless your sniff was not actually sniffing on the correct interface, or wrong port or some other error, etc.
When you sniff on wan, do you see other traffic?
-
@johnpoz Yeah. I'm agreeing with you. I don't know how this situation can be factual. I would assume I messed up the capture, but it worked just fine with 4443 just with the port changed.
I do see other traffic on the WAN yes. -
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I do see other traffic on the WAN yes.
Then how could you not see the 443 traffic if its working, because clearly the sniff is working. But its just not capturing 443 - that makes no sense at all.
-
@johnpoz I'm as confused as you are or more. All I know is what I've seen so far.
Can you tell me what is wrong with that config?
I double-checked the IP address and everything.
I see other packets go by when I scan, but even though the scan is a success I don't see the packets I would expect. Perhaps you can see something I cannot? -
@combat_wombat27 couple of things, maybe its udp.. https can go via udp if using quic
You sure its not coming in via IPv6? Do you have other internet connections other than wan?
Did you actually start it? Should be showing you last start time, etc..
Odd that your only seeing last capture? What version of pfsense are you on?
You sure that is the right source IP? If your saying its working, look in your state table for what the public IP Is that is hitting it when you say its working..
-
@johnpoz I turned on any for both ipv4 and 6 and UDP etc as well as TCP. I saw 0 ipv6 traffic. That one WAN is the only internet connection for the building. I did start it, mine only shows me the last capture not stop and start. Yes, I did start it, then and again now with the new settings. I'm on 2.4.4_2. I've confirmed my IP via IPCHICKEN and asked google "what is my IP" and both of those match the one I'm using and see in pfsense for the WAN side.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
both of those match the one I'm using and see in pfsense for the WAN side.
Huh - look in your state table for the source IP that is talking to your 192.168.1.4 -- filter on that..
You really should update 2.4 has been eol for awhile.
