HTTPS on non-standard port being blocked

rfetech

I am running pfSense 1.0.1 on Nokia IP330 for 11 months.  Our LAN is using NAT.  DMZ is filtered bridge.

One of our departments need to access their external website to check on website statistics.  The server they are trying to access is using a non-standard HTTPS port.  I am using the default LAN -> any rule but the page is being blocked by the firewall with the following rule:

@262 block drop in log quick all label "Default block all just to be sure."

The site they are trying to access is formatted as follows:

https://server.website.com:2083

I opened up the WAN interface to accept all connections from this IP but still cannot get it working.  I have a backup WAN connection that is running m0n0wall on WRAP and I don't have any problems accessing this particular site on that connection.  Any suggestions would be appreciated.

Regards,
Mitch

cmb

Is it a site we can try?

rfetech

Yes, there are two ways that it may be accessed.

Go to http://www.monroeaquaticsandfitnesscenter.com/cpanel

Or directly to https://server.websiteprofessionals.net:2083

It is a password protected site and you should get a login page when working correctly.  In Firefox 2.0.0.6 I get this message: "The connection to server.websiteprofessionals.net:2083 was interrupted while the page was loading."  For IE7 it's just a generic "Internet Explorer cannot display the webpage"

Thanks,
Mitch

sai

@rfetech:

I opened up the WAN interface to accept all connections from this IP but still cannot get it working.

You need to open up the IP and the port on the LAN interface, because that is where the users are.
Rule:
Interface : LAN
Source : LAN network
Source Port: *
Destination: 72.36.202.74  (this is the ip I get when I lookup server.websiteprofessionals.net)
Destination Port: 2083

Make this rule the first rule.

If this doesnt work then give us a screenshot of your LAN firewall rule set.

rfetech

Thank you for your reply but I'm a little confused.

In my original posting, I stated that the only rule I have on the LAN interface is the default rule which is LAN -> any.  I am not blocking "anything" going out the LAN interface.  It is my understanding that the firewall will allow any established connection from the LAN to WAN to come back through from WAN to LAN.  The computer on the LAN is contacting the server on the WAN at https://xxxxxxx:2083 but the firewall is blocking the return connection with the "block all" rule on the WAN.  At least that is the way I understand it but I could be wrong.  Please clarify for me if I am mistaken.

Thanks,
Mitch

sai

If you have a rule allowing a packet out, then the reply packet will also be allowed in. You do not need a rule on the WAN for this. THis is known as Stateful Packet Filtering.

Are you sure that the entry in the log file relates to this website?

rfetech

Thank you for verifing that.  That's why I can't understand why the return connection is being blocked on the WAN interface.  I only have a few rules on the WAN that allows HTTP and HTTPS into our DMZ and a few 1-1 NATS into our LAN, etc.  There's never been any other issues with other web sites.

The following is from the logfile after trying to access the web page at: https://server.websiteprofessionals.net:2083

IF: WAN
Source: 72.36.202.74:2083
Destination: 64.128.42.159:62170
Protocol: TCP

The rule that triggered this action is:
@262 block drop in log quick all label "Default block all just to be sure.

I have tried opening "everything" from that IP into the WAN & LAN without success.

Thanks again,
Mitch

sai

Well thats me stumped….how about getting rid of the rules on the WAN interface. Maybe you have something messed up there? You dont have any NAT setup either?

rfetech

Yesterday, I rebooted the unit for the first time in 10 months but that didn't solve the problem.  Today, I removed all NAT and rules except for the few rules for my servers in the DMZ and 6 1:1 NAT for some servers in the LAN.  All of these are either HTTP, HTTPS, FTP, SMTP, IMAP and SSH.  The problem still persist.

I'm assuming that you were able to access the website that I'm having problems with?  What version of pfSense are you using?  As I've stated before, I have had no issues with my pfSense box since putting it into production last November.  We have about 300 computers on our network that access thousands of different sites and this is the first issue that I'm aware of.

I am planning to upgrade to 1.2 when it is released but was hoping to solve this issue now if possible.  If you are stumped, you can imagine how I feel.  ???

Thank you for all your help and please let me know if you should think of anything else.

Sincere regards,
Mitch

sai

Yes I can access the website fine.    ???

Guest

Hi,

is there a solution for this ?

I'm experiencing the same problem. Can't access an https site on a non standard port (https://ias-web.conseur.org:4443).

Btw, i use squid proxy.

jahonix

Squid cannot work for httpS connections.
You have to explicitly create an additional allow rule for this traffic.

I can not access your site either. In contrast to the one that rfetech gave us.
The problem seems to be on the other side of the connection.

Guest

Found a solution :

Edit the file /usr/local/pkg/squid.inc
Search for "acl sslports port 443 …" line
Add the https port you need to access on this line
Save
Restart

NB : I also added it to the line "acl safeports port 21 ..." but I'm not sure if it's necessary.