Internal Web Server

thinair

I did a clean install with the 0.94 liveCD, upgraded to 0.94.2, then started configuring from scratch instead of using my old config.

I have a web server on my LAN, I made a NAT rule that looks like this.

• <rule><external-address>any</external-address>
    <protocol>TCP</protocol>
    <external-port>80</external-port>
    <target>server</target>
    <local-port>80</local-port>
    <interface>wan</interface>
    <descr>Web Server</descr></rule>

As soon as I apply that, I can't view any external websites and I get locked out of the webGUI. Actually it seems like the only thing I can do is ping the LAN interface on pfSense, and view the webpages on my server.

I went into the shell via the console and browsed around until I found the config file, removed the above rule and the accompanying firewall rule, rebooted and I was back in business.

I guess this has something to do with NAT reflection?  I didn't disable it before hand.

thinair

nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good.  I just remembered that I had this problem before.

sullrich

@thinair:

nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good.  I just remembered that I had this problem before.

Please share with us what rule is causing this.  Reflection should not be causing these issues.

thinair

@sullrich:

Please share with us what rule is causing this.  Reflection should not be causing these issues.

The rule is in the first post

sullrich

@thinair:

@sullrich:

Please share with us what rule is causing this.  Reflection should not be causing these issues.

The rule is in the first post

This is not happening to me.  I have many web servers (5+) redirected at my work and we do not see this behavior.  You're on 0.94+ ?

thinair

Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again).  So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.

sullrich

@thinair:

Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again).  So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.

Okay, please enable nat reflection.  Wait until port 80 is no longer working then send me the contents of /tmp/rules.debug to sullrich@gmail.com.    I will take a look at why this happening.

And for the record, you are dhcp, ppoe, pptp on wan?

thinair

PPPoE, and email sent

sullrich

@thinair:

PPPoE, and email sent

Thanks, I'll check it out this afternoon.

bruor

nat reflection should only take effect for packets that are destined to the wan interface right ?

additionally,  if nat reflection was forwarding those packets to my web server, i would have gotten the page that is hosted on it…

let me know if there is anything i can do as well to help with this.