Surfing to website in the subnet of another interface shows pfsense login page

Voxtra

Hi,

we have a pfsense with 3 physical interfaces for internal networks:
LAN1: 200.1.0.0/24
LAN2: 10.20.15.0/24
LAN3: 10.0.0.0/16
Our firewall rules allow all traffic between these 3 subnets.

in the LAN1, we have a webserver hosted on IP address 200.1.0.15
On all pc's in LAN2, we can ping 200.1.0.15 and we can also access the website hosted on it.
On the pc's in LAN3, we can also ping 200.1.0.15, but we can not access the website. Instead, we get the login page of the pfsense. All other traffic from LAN3 to LAN1 works perfectly, even to other websites hosted in the 200.1.0.0-network.

Any ideas why this happens? DNS looks fine, there are no particular NAT-rules, other websites in LAN1 work perfectly, just that one doesn't...

Thanks!

michmoor

@Voxtra

I would still want to see your NAT rules.

Voxtra

@michmoor
hi,
thanks for replying!
what would you like to see? I only have NAT rules for forwarding from WAN to the different LAN's. There are no rules between the three LAN interfaces.

michmoor

@Voxtra
Somehow your traffic is getting redirected to the management ports of your firewall. Either you got a NAT rule there or some other misconfiguration. Right now it appears as NAT.

What specifically are you doing on LAN3?
Are you going to HTTP://200.1.0.15 and you wind up at the pfsense page on port 80 at IP of 200.1.0.15 ?

Voxtra

@michmoor
When we browse to https://200.1.0.15 we end up seeing the https login page of the pfsense
however, https://200.1.0.10 or any other https page in that LAN1 is reachable
The only rule we have configured on the LAN3 interface is to allow all traffic to all networks.

michmoor

@Voxtra
Show your NAT rules
Show your state table when attempting to access it by going to Diagnostics > States > States

Gertjan

@Voxtra said in Surfing to website in the subnet of another interface shows pfsense login page:

we have a pfsense with 3 physical interfaces for internal networks:
LAN1: 200.1.0.0/24
LAN2: 10.20.15.0/24
LAN3: 10.0.0.0/16

Ok for LAN 2 and 3, but with LAN 1, something seems very wrong here.
You are, or you own :

root@ns311465:~# whois 200.1.0.15
....
% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2024-03-25 13:14:56 (-03 -03:00)

inetnum:     200.1.0.0/22
status:      allocated
owner:       Corporacion Andina de Fomento.
ownerid:     VE-CAFO-LACNIC
address:     Av. Luis Roche, Torre Central\nPiso 7, Altamir\nCaracas
country:     VE
owner-c:     JL10-ARIN
created:     19930513
changed:     19930513
source:      ARIN-HISTORIC

That's already a big player, as you own 1024+ IPv4 on the net.
Using one /24 network on your pfSense .... as a LAN (internal) network ? Are you sure ??

johnpoz

@Voxtra said in Surfing to website in the subnet of another interface shows pfsense login page:

When we browse to https://200.1.0.15 we end up seeing the https login page of the pfsense

yeah that wouldn't happen unless pfsense IP was .15.. Are you access via the IP or via some fqdn? When devices on the same network talk to each other say .x talking to .y pfsense would not even be aware of the traffic unless your running on a bridge in pfsense? or one of pfsense IPs is .x or .y in that conversation.

And with @Gertjan using public IP space on your internal network is not a very good idea.. Are you part of the Corporacion Andina de Fomento. I find highly unlikely even if you were that they would assign a /24 out of their /22 to your connection?

michmoor

@johnpoz
Couldve been a network space he randomly selected as part of a test. Im guilty of using 1.1.1.0/30 on WAN links when labbing.
Still its a directly connected interface so its routed to pfsense itself. Shouldnt be an issue.

johnpoz

@michmoor while technically you can use it, sure if you don't ever want to go to that space on the public.. But its really bad practice to get into.. Because as some point your going to use some public space locally that you actually want to get to.

And it always brings up such questions when your posting asking for help ;)

There is plenty of rfc1918 space to use, that you don't have to step on something your currently using..

Voxtra

@johnpoz
the pfsense is on IP addresses
200.1.0.250 in LAN1
10.20.15.254 in LAN2
10.0.0.254 in LAN3
there is no reference to 200.1.0.15 in the pfsense, except for NAT rules on the WAN that forward to this IP-address

Regarding the comments about using the 200.1.0.0/24 range -> that is why we've created the LAN3 on 10.0.0.0/16.
Our customer had this 200-range when we took over their setup. We are now moving everything step by step to the 10.0.0.0-range, so we can get rid of the 200-range. But during this process, everything should keep working.

Main problem is still that I can't get to route from one subnet/interface to one IP-address on the other interface.
The other subnet LAN2 routes perfectly.
And from the LAN3 subnet, I can also get to other websites in the LAN1 subnet. It's just that one website that won't work. It's not DNS as it pings 200.1.0.15 ok. But when browsing to this IP, how is it possible that I get the pfsenses login page?

johnpoz

@Voxtra it shouldn't be possible it really shouldn't.. Just because you can ping, doesn't really mean anything.

So your on a device in the 200.x network - ping this 200.1.0.15 address now look in your arp table.. What does it show for that IP.. Is it a pfsense mac? If not pfsense is not invovled in the conversation in any way.

Maybe the client thinks this .15 address is not actually on its local network.. What Is the mask on the client your trying to access the 200.1.0.15 address from

And good to hear about migration away from the 200.x network - very valid reason to currently have it setup.. thanks for keeping my curiosity kat happy ;)

Voxtra

@johnpoz
the mac of 200.1.0.15 start with 00:50:56 which is VMWare. This is correct, it is a virtual machine.
the client from which I'm trying to browse to 200.1.0.15 has IP address 10.0.0.2, subnet mask 255.255.0.0, gateway 10.0.0.254
I just don't get why I can ping it, but browsing to it gets redirected...

johnpoz

@Voxtra oh so your accessing this IP from a different network.. I thought you were on some box in 200.x and trying to access 200.1.0.15 and getting pfsense login..

And you have no port forwards setup? No policy routing via gateway set in you rules on this 10.0 psense interface? What are you outbound nats?

Your saying you can access fine from your other 10.20 network, not just this 10.0 network.. And it works fine as well from device on the 200.x network.

Voxtra

This post is deleted!

Voxtra

@johnpoz
oh so your accessing this IP from a different network.. I thought you were on some box in 200.x and trying to access 200.1.0.15 and getting pfsense login..

correct, that is the issue
And you have no port forwards setup?
only from WAN to LAN1, not from LAN2 to LAN3 and also not from LAN2 to LAN3
No policy routing via gateway set in you rules on this 10.0 psense interface?
No
What are you outbound nats?
None, only the automatically created rules
Your saying you can access fine from your other 10.20 network, not just this 10.0 network.. And it works fine as well from device on the 200.x network.
that is correct

Voxtra

Just wanted to let you all know that we've made a workaround, since it was urgent and could not easily be solved. Thanks for your help!