Port Forward 80 Webserver

viragomann

@stepnage
Cannot see the images without login.

stepnage

Do you have an email? I'd really appreciate your help.

viragomann

@stepnage
There should be a possibility to share files without the need of authentication. Supported by any cloud I know.

What do you get now exactly if you access your WAN IP from the interne?

stepnage

If I access my WAN via IP under port 80 I get nothing. If I access via changed port doe PFSense web UI I get the UI.
Here's my NAT port forwarding rule:
Interface = WAN
Address Family = IPV4
Protocol = TCP
Source = ANY
Source Port Range = HTTP
Destination = LAN Address
Destination Port Range = HTTP
Redirect Target Port = HTTP
Description = Website
NAT Reflect = Enable Pure NAT
Filter Rule = Pass

Everything worked perfectly under version 2.7.0.... All I can see that has changed is you now have another option under destination, it was simply single host.

viragomann

@stepnage
You must not limit the source port. It's redundant, so you have to state "any" for it.

stepnage

Okay done but still WAN or domain still results in nothing.

viragomann

@stepnage
Source = ANY
Source Port Range = ANY
Destination = WAN Address
Destination Port Range = HTTP
Redirect Target = <your web server>
Redirect Target Port = HTTP

stepnage

Interface = WAN
Address Family = IPV4
Protocol = TCP
Source = ANY
Source Port Range = HTTP
Destination = LAN Address
Destination Port Range = HTTP
Redirect Target IP = 192.168.0.3
Redirect Target Port = HTTP
Description = Website
NAT Reflect = Enable Pure NAT
Filter Rule = Pass

Forgot to add a section in last post, the IP address of server on LAN side.

stepnage

Source = ANY
Source Port Range = ANY
Destination = WAN Address
Destination Port Range = HTTP
Redirect Target = 192.168.0.3
Redirect Target Port = HTTP

Still nothing :(

viragomann

@stepnage
So possibly your web server is blocking access from outside its subnet.

Disable its firewall.

stepnage

I have tried this already, the only thing that has changed is the firewall, this is why I am pulling my hair out as everything worked fine before the update.

viragomann

@stepnage
As mentioned, nothing regarding port forwarding has been changed in the recent version.
Your issue might be somewhere else.

For troubleshooting, sniff the https traffic on pfSense on WAN and LAN and look if your requests are arriving on WAN and forwarded properly, and if you get responses from the webserver.

stepnage

I could not get this to work at all. I changed the port forward on my broadband router to point at it's web UI and I can connect using my domain remotely. I then connected my server directly to my broadband router and changed port forwarding and again, can connect. This eliminates the pfsense firewall but all works. However, as soon as I connect the firewall back between them and re adjust the port forwarding, everything fails.

I re cloned my old pfsense image of 2.7.0 and all works flawlessly. I'm still convinced that something has changes as nothing to my setup has. The fact that I can still connect using my domain tells me that it's the firewall.

I've also tried switching the WAN and LAN but still the same issue. I really don't want to be stuck in this version.

Bob.Dig

@stepnage Make screenshots of every screen of interest.

viragomann

@stepnage
As you don't deliver the requested troubleshooting information, I'm sadly not able to help here.
Just wailing "it does not work" contributes nothing to get closer to the issue.

stepnage

I'm unsure by what you mean not delivered the requested... You have asked me to sniff the traffic on the WAN port. I have looked at this and apart from requesting the Web UI nothing is being passed by pfsense. I have taken screenshots but am unable to get them to show as I don't have anywhere to host the files.

The fact that if I eliminate the pfsense box and run directly from my router all is well and that if I restore the 2.7.0 pfsense on the same box all is well. I have also detailed my steps in previous posts.

I really need this to work but after the update it has all stopped. Apart from the pfsens update, nothing else has changed in my setup.

I cabn go out of the pfsense box to the internet, but I just can not get back in the other way. I can access IP addresses on the WAN side my accessing my router.

viragomann

@stepnage said in Port Forward 80 Webserver:

You have asked me to sniff the traffic on the WAN port.

On WAN and the internal interface.
Can you share the results, please?
This is just a text, which you can copy and paste here.

stepnage

Using the packet capture under diagnostics I get:

11:12:02.834665 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 420: (tos 0x0, ttl 127, id 3261, offset 0, flags [none], proto UDP (17), length 406)
10.10.10.2.31437 > 142.250.200.42.443: [udp sum ok] UDP, length 378
11:12:02.842726 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 69: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 55)
142.250.200.42.443 > 10.10.10.2.31437: [udp sum ok] UDP, length 27
11:12:02.869379 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 3262, offset 0, flags [none], proto UDP (17), length 60)
10.10.10.2.31437 > 142.250.200.42.443: [udp sum ok] UDP, length 32
11:12:02.875974 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 356: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 342)
142.250.200.42.443 > 10.10.10.2.31437: [udp sum ok] UDP, length 314
11:12:02.876216 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 207: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 193)
142.250.200.42.443 > 10.10.10.2.31437: [udp sum ok] UDP, length 165
11:12:02.876402 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 77: (tos 0x0, ttl 127, id 3263, offset 0, flags [none], proto UDP (17), length 63)
10.10.10.2.31437 > 142.250.200.42.443: [udp sum ok] UDP, length 35
11:12:02.902990 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 3264, offset 0, flags [none], proto UDP (17), length 60)
10.10.10.2.31437 > 142.250.200.42.443: [udp sum ok] UDP, length 32
11:12:02.909724 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 52)
142.250.200.42.443 > 10.10.10.2.31437: [udp sum ok] UDP, length 24
11:12:02.978483 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 0, offset 0, flags [none], proto ICMP (1), length 84)
10.10.10.2 > 8.8.8.8: ICMP echo request, id 37145, seq 1, length 64
11:12:02.986638 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 119, id 0, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 10.10.10.2: ICMP echo reply, id 37145, seq 1, length 64
11:12:02.987801 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 53681, offset 0, flags [none], proto ICMP (1), length 29)
10.10.10.2 > 10.10.10.1: ICMP echo request, id 699, seq 46460, length 9
11:12:02.988005 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 35168, offset 0, flags [none], proto ICMP (1), length 29)
10.10.10.1 > 10.10.10.2: ICMP echo reply, id 699, seq 46460, length 9
11:12:03.232313 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 87: (tos 0x0, ttl 64, id 24942, offset 0, flags [none], proto UDP (17), length 73)
10.10.10.2.47336 > 216.239.38.10.53: [udp sum ok] 10970% [1au] HTTPS? beacons.gvt2.com. ar: . OPT UDPsize=512 DO (45)
11:12:03.234544 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 1003: (tos 0x0, ttl 127, id 31157, offset 0, flags [none], proto UDP (17), length 989)
10.10.10.2.27365 > 172.217.169.3.443: [udp sum ok] UDP, length 961
11:12:03.240861 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 31158, offset 0, flags [none], proto TCP (6), length 52)
10.10.10.2.26975 > 172.217.169.3.443: Flags [S], cksum 0x57e6 (correct), seq 2705106425, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:12:03.244726 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 69: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 55)
172.217.169.3.443 > 10.10.10.2.27365: [udp sum ok] UDP, length 27
11:12:03.247361 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 144: (tos 0x0, ttl 108, id 16534, offset 0, flags [none], proto UDP (17), length 130)
216.239.38.10.53 > 10.10.10.2.47336: [udp sum ok] 10970*- q: HTTPS? beacons.gvt2.com. 0/1/1 ns: gvt2.com. SOA ns1.google.com. dns-admin.google.com. 604591705 900 900 1800 60 ar: . OPT UDPsize=512 DO (102)
11:12:03.249221 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 124, id 0, offset 0, flags [DF], proto TCP (6), length 52)
172.217.169.3.443 > 10.10.10.2.26975: Flags [S.], cksum 0x1aaf (correct), seq 3563807707, ack 2705106426, win 65535, options [mss 1412,nop,nop,sackOK,nop,wscale 8], length 0
11:12:03.249465 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 31159, offset 0, flags [none], proto TCP (6), length 40)
10.10.10.2.26975 > 172.217.169.3.443: Flags [.], cksum 0x5751 (correct), seq 1, ack 1, win 1025, length 0
11:12:03.249836 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 571: (tos 0x0, ttl 127, id 31160, offset 0, flags [none], proto TCP (6), length 557)
10.10.10.2.26975 > 172.217.169.3.443: Flags [P.], cksum 0x025b (correct), seq 1:518, ack 1, win 1025, length 517
11:12:03.249975 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 91)
172.217.169.3.443 > 10.10.10.2.27365: [udp sum ok] UDP, length 63
11:12:03.250504 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 77: (tos 0x0, ttl 127, id 31161, offset 0, flags [none], proto UDP (17), length 63)
10.10.10.2.27365 > 172.217.169.3.443: [udp sum ok] UDP, length 35
11:12:03.250716 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 63: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 49)
172.217.169.3.443 > 10.10.10.2.27365: [udp sum ok] UDP, length 21
11:12:03.251057 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 127, id 31162, offset 0, flags [none], proto UDP (17), length 58)
10.10.10.2.27365 > 172.217.169.3.443: [udp sum ok] UDP, length 30
11:12:03.251132 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 127, id 31163, offset 0, flags [none], proto UDP (17), length 64)
10.10.10.2.27365 > 172.217.169.3.443: [udp sum ok] UDP, length 36
11:12:03.254104 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 31164, offset 0, flags [none], proto TCP (6), length 52)
10.10.10.2.3203 > 172.217.169.3.443: Flags [S], cksum 0xd154 (correct), seq 201006761, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:12:03.254584 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 31165, offset 0, flags [none], proto TCP (6), length 52)
10.10.10.2.48393 > 172.217.169.3.443: Flags [S], cksum 0x78a0 (correct), seq 4001096789, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:12:03.258086 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 124, id 29553, offset 0, flags [none], proto TCP (6), length 40)
172.217.169.3.443 > 10.10.10.2.26975: Flags [.], cksum 0x5848 (correct), seq 1, ack 518, win 261, length 0
11:12:03.258729 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 65: (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 51)
172.217.169.3.443 > 10.10.10.2.27365: [udp sum ok] UDP, length 23
11:12:03.261782 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 31166, offset 0, flags [none], proto TCP (6), length 52)
10.10.10.2.55561 > 172.217.169.3.443: Flags [S], cksum 0x68e7 (correct), seq 888312216, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:12:03.261971 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 124, id 0, offset 0, flags [DF], proto TCP (6), length 52)
172.217.169.3.443 > 10.10.10.2.48393: Flags [S.], cksum 0xb1e4 (correct), seq 2280405471, ack 4001096790, win 65535, options [mss 1412,nop,nop,sackOK,nop,wscale 8], length 0
11:12:03.262153 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 31167, offset 0, flags [none], proto TCP (6), length 40)
10.10.10.2.48393 > 172.217.169.3.443: Flags [.], cksum 0xee86 (correct), seq 1, ack 1, win 1025, length 0
11:12:03.262522 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 571: (tos 0x0, ttl 127, id 31168, offset 0, flags [none], proto TCP (6), length 557)
10.10.10.2.48393 > 172.217.169.3.443: Flags [P.], cksum 0x0175 (correct), seq 1:518, ack 1, win 1025, length 517
11:12:03.263008 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 124, id 0, offset 0, flags [DF], proto TCP (6), length 52)
172.217.169.3.443 > 10.10.10.2.3203: Flags [S.], cksum 0x1541 (correct), seq 859603943, ack 201006762, win 65535, options [mss 1412,nop,nop,sackOK,nop,wscale 8], length 0
11:12:03.263181 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 31169, offset 0, flags [none], proto TCP (6), length 40)
10.10.10.2.3203 > 172.217.169.3.443: Flags [.], cksum 0x51e3 (correct), seq 1, ack 1, win 1025, length 0
11:12:03.263566 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 571: (tos 0x0, ttl 127, id 31170, offset 0, flags [none], proto TCP (6), length 557)
10.10.10.2.3203 > 172.217.169.3.443: Flags [P.], cksum 0x87fe (correct), seq 1:518, ack 1, win 1025, length 517
11:12:03.265751 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 1466: (tos 0x0, ttl 124, id 29554, offset 0, flags [none], proto TCP (6), length 1452)
172.217.169.3.443 > 10.10.10.2.26975: Flags [.], cksum 0xefed (correct), seq 1:1413, ack 518, win 261, length 1412
11:12:03.265999 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 1466: (tos 0x0, ttl 124, id 29555, offset 0, flags [none], proto TCP (6), length 1452)
172.217.169.3.443 > 10.10.10.2.26975: Flags [.], cksum 0x7c87 (correct), seq 1413:2825, ack 518, win 261, length 1412
11:12:03.266004 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 1466: (tos 0x0, ttl 124, id 29556, offset 0, flags [none], proto TCP (6), length 1452)
172.217.169.3.443 > 10.10.10.2.26975: Flags [P.], cksum 0x3ae5 (correct), seq 2825:4237, ack 518, win 261, length 1412
11:12:03.266007 80:75:1f:79:38:61 > 00:80:64:f4:f0:30, ethertype IPv4 (0x0800), length 311: (tos 0x0, ttl 124, id 29557, offset 0, flags [none], proto TCP (6), length 297)
172.217.169.3.443 > 10.10.10.2.26975: Flags [P.], cksum 0x0d11 (correct), seq 4237:4494, ack 518, win 261, length 257
11:12:03.266279 00:80:64:f4:f0:30 > 80:75:1f:79:38:61, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 31171, offset 0, flags [none], proto TCP (6), length 40)

viragomann

@stepnage
It would be helpful to mention if it's taken on WAN or LAN and what's the source and destination IP.

Anyway, there is not even any packet to see going to port 80. So did you access it from outside, while taking this capture?

Also it seems that your pfSense is behind a NAT router. So did you forward the traffic on this router? Maybe the pfSense IP has changed?

stepnage

I took this on my pc on the lan side. Port forwarding set on router not changed. Pfsense IP not changed.

Router 10.10.10.1
PF WAN 10.10.10.2
PF LAN 192.168.0.1
Switch 192.168.0.2
Server 1 192.168.0.3
Server 2 192.168.0.4
Server 3 192.168.0.5

I can access any IP on WAN or LAN

As I mentioned earlier, if I go back to 2.7.0 everything works great