NAT port 80 kills web GUI == BIG PROBLEM

bruor · Dec 7, 2005, 10:14 PM

ok found a bit of a bug in pfsense. i run a webserver behind one of these boxes. and i have been able to reproduce the following VERY accurately.

if you are running pfsense on the default port 80, and you setup a NAT rule for the WAN interface on port 80, the pfsense box will no longer accept port 80 connections from the LAN interface.
i have reproduced this on 2 separate different boxes, but using the same network cards.

the easiest workaround for this is to move the webgui to another port, but this was bad becasue it seemed like my monowall config was killing the pfsense box. and monowall handles this scenario just fine.
if it is a limitation of pf in bsd to not differentiate between the interfaces when a connection is made etc, then i can understand. otherwise it seems like there could be an issue with the way the system works/adds the rules etc…

bruor · Dec 7, 2005, 10:18 PM

just realized that there is a similar post here… http://forum.pfsense.org/index.php?topic=146.0

sullrich · Dec 7, 2005, 10:44 PM

@bruor:

just realized that there is a similar post here… http://forum.pfsense.org/index.php?topic=146.0

Turn off NAT reflection in advanced…

bruor · Dec 8, 2005, 12:52 AM

no problem, i am assuming nat redirection just allows you to punch in your domain name from inside the subnet, and access it as if you were coming in from outside the network ?

hoba · Dec 8, 2005, 1:04 AM

it allows you to access nated services by your wan ip from your internal network(s).
let's say you have forwarded your wan ip port 80 to port 85 at a machine on lan a client coming from the inside will be able to access that port 85 at that machine by using the wan ip and port 80. Without reflection that doesn't work.

bruor · Dec 8, 2005, 1:18 AM

thanks, for the fast reply hoba, exactly what i thought it did, and gladly not important at all for me since it doesn't seem to work without disrupting that port on the lan interface ;)