Big issues running IIS behind PFSense.

pseudonym · Jan 10, 2010, 12:28 AM

Well.. hopefully someone here can help me. So far I have had absolutly no luck running websites behind PFSense. I have an IIS 6 server running on windows 2008 Server with several webpages on it. I have a forward set up for HTTP and I have rules set to pass traffic. When set up on a stupid POS router, it works fine; however, when I try it with PFSense, I get a "Page Can't be Displayed" error message. When I disable the Packet Filter it DUMPS ME IN AT THE INTERAL INTERFACE OF THE ROUTER!!!! To say this is a BAD thing is a understatment of a massive nature. There is no way I should be able to log into the internal interface of my router externally!

No idea what is happening here. Like I said, forward the port make sure the rule is correct and it works fine with ye ol' linksys router. Exact same setup on PFSense and it goes to the internal interface when trying to access externally.

Any ideas?

Thanks

~m

GruensFroeschli · Jan 10, 2010, 12:29 AM

Please show a screenshot of all your rules you created.

pseudonym · Jan 10, 2010, 1:08 AM

You mean the two =P. One for MS-RDP and one for HTTP.. that is it.

This is a very clean install. Don't want to complicate things.

UPDATE: Tred with NAT Reflection turned off and turned on with no results. I am currently at an external location where I can access the server using RDP and access the internal interface of the router through that server. RDP port forward works without any issues at all.. This is gonna make me bald and grey =P. When rules are enabled I am getting a 404 error, with them disabled, I get directed to the internal interface of the router. Not sure how PFSense handles host header names, thinking there might be a problem there. Websites are registered in DNS just fine and.. as I said, everything works perfectly when behind a Linksys home router..

wallabybob · Jan 10, 2010, 6:16 AM

A difference between RDP and HTTP (or HTTPS) is that pfSense will generally take no interest in RDP (unless you have a specific firewall rule for it) whereas pfSense has its own web GUI which can take a interest in HTTP or HTTPS.

How about configuring in System -> General Setup a non standard port for the pfSense WEB GUI and see what difference that makes? (For example, put the pfSense web GUI on port 89, and see if your web access from the internet to port 80 behaves any differently.)

It might be relevant to know what is between the Linksys router and the internet (e.g. a cable modem or xDSL modem), what port forwarding magic is invoked there, whether the pfSense box reuses the Linksys's IP addresses or has a different set etc.

Even though your rules might be simple, its a pity you didn't post them. Small details can make a significant difference and looking them up and posting them might have resulted in you or a reader seeing a "small" error (like interchanging two digits in an IP address) that had previously escaped your notice.

Supermule · Jan 10, 2010, 10:04 AM

Start by disabling the 2 rules infront of HTTP on WAN….

Move a block all rule down below RDP rule.

See if its better.

danswartz · Jan 10, 2010, 1:04 PM

this all makes no sense. i am running a web server on port 80 and port 443 behind a 1.2.3 pfsense with http and https forwarded and it works just fine! Can you do 'pfctl -s nat | grep http' and 'pfctl -s rules | grep http' in a shell and post the output?

wallabybob · Jan 10, 2010, 1:46 PM

pseudonym, sorry I didn't notice your rule postings.

danswartz: what port are you using for pfSense WEB gui? The pfSense book says (bottom of page 59) "Moving the WebGUI to an alternate port is also a good tactic for increased security, and it will free up the standard web ports for use with port forwards or other … " which doesn't exactly say its not possible to do port forwarding on the standard web ports if they are in use by the web GUI but does at least hint it might be a troublesome configuration.

pseudonym · Jan 10, 2010, 5:33 PM

Thanks for all the replies. I switched off the Web GUI to a non-standard port, but that doesn't seem to help other than I get a 404 error when the rules are disabled rather than it dumping me on the internal interface. Helps a bit with security, but doesn't fix the problem. Here are the text based rules as generated by pfctl:

pfctl -s nat | grep http

rdr on sk1 inet proto tcp from any to 96.52.133.83 port = http -> 10.10.2.90
rdr on sk1 inet proto udp from any to 96.52.133.83 port = http -> 10.10.2.90
rdr on sk0 inet proto tcp from any to 96.52.133.83 port = http -> 127.0.0.1 port 19000
rdr on sk0 inet proto udp from any to 96.52.133.83 port = http -> 127.0.0.1 port 19001

pfctl -s rules | grep http

pass in quick on sk1 reply-to (sk1 96.52.132.1) inet proto tcp from any to 10.10.2.90 port = http flags S/SA keep state label "USER_RULE: NAT HTTP Port Forward to Web Server"
pass in quick on sk1 reply-to (sk1 96.52.132.1) inet proto udp from any to 10.10.2.90 port = http keep state label "USER_RULE: NAT HTTP Port Forward to Web Server"

I am really wondering what, exactly the two rdr on sk0 (IN_IF) to the loop back address are doing.. I am also a tad confused that the external IP in the "rules" is somehow different from the external IP listed in NAT…

Anyhow, hope someone has some ideas what is happening...

Is there a way to just edit the pf.conf and ditch the webconfig?

GruensFroeschli · Jan 10, 2010, 9:26 PM

What should the external address be?
It's the same as in the screenshot you just showed.
Could it be, that you're using VIPs and used the wrong IP for the mapping?

danswartz · Jan 10, 2010, 9:42 PM

wallaby. i am using the standard HTTPS port. Given the webgui is not listening on the WAN anyway, I never understood this concern - it certainly does not affect my config.

danswartz · Jan 10, 2010, 9:48 PM

i don't know what the two loopback redirects are for, but they are on the lan, not the wan. as far as the IP in the rules being different, this is because the rdr (which rewrites the WAN IP to the forwarded LAN IP) is done before the access check. sounds like your config is all buggered up. i would try reinstalling from scratch (and not restoring the config, type it in from scratch, since it looks small.) no, bypassing the gui is not usual, if you don't want that, you should build your own openbsd firewall from scratch, it has nothing but the CLI…

pseudonym · Jan 10, 2010, 11:14 PM

I shall try another reinstall.. This is already install 3. This is a really un-good situation. I have PFSense routers installed at schools all over the province, if this is an issue.. then I seriously have to consider removing them and going with a different solution…

major bummer =(.

Any other suggestions?

danswartz · Jan 11, 2010, 12:11 AM

Well, I am mystified. You are not installing packages or anything? It's hard to believe this stuff is just happening out of left field :(

wallabybob · Jan 11, 2010, 1:13 AM

@danswartz:

Well, I am mystified. You are not installing packages or anything? It's hard to believe this stuff is just happening out of left field :(

Could we be looking at the problem in the wrong way? Does "Page Can't be Displayed" indicate a problem connecting to the server? a problem downloading data from the server?

Comments so far seem to have concentrated on the possibility of failure to connect to the server. Is their some independent verification that is the problem? (Does the server log incoming connections?)

pseudonym · Jan 11, 2010, 6:42 PM

Packets are not hitting the webserver at all when I have PFSense as as the router. I am certain that the webserver is at least functional as it works fine when using a different router.

I am going to try a full reinstall… completely base (This install should have already been pretty basic as I reset and reconfiged with only the two rules). I will give it another go and report back with a full dmesg and rules listing.

In the meantime.. is ANYONE running PFSense in front of a IIS server hosting multiple websites??? Does anyone know how PFsense handles Host Header Names?

This can't be an issue that only I am having...

GruensFroeschli · Jan 11, 2010, 6:48 PM

@pseudonym:

In the meantime.. is ANYONE running PFSense in front of a IIS server hosting multiple websites??? Does anyone know how PFsense handles Host Header Names?

I'm not running IIS, but pfSense is completly ignoring anything related to host header names.
It simply forwards the packets specified in the NAT rule.

Supermule · Jan 11, 2010, 6:52 PM

Do you mean multiple webservers with sites or just multiple sites on one webserver???

PFSense doesnt have Layer7, but I do not have any problems forwarding all my port 80 traffic to an ISA Server who has Layer7.

One webserver behind PFsense is absolutely no problem… I can do that for you in 5 minutes via an remote session. No problems...

pseudonym · Jan 11, 2010, 8:18 PM

It is one webserver, Win2k8 running IIS 7.5. It is hosting a couple websites (EX: Fintrycroft.ca, corporatesecurityconsulting.ca).

Should be as easy as forwarding port 80 to the correct internal IP, but for some reason it isn't working….

Supermule · Jan 11, 2010, 8:27 PM

And it is loading the interfaces and assign them correctly??

pseudonym · Jan 11, 2010, 9:28 PM

Yup. No other issues at all. I don't have load balancing setup, the only thing that has been configured is a port forward for MS-RDP and HTTP and the associated rules which were generated automatically. Both forwards are going to the same machine and the MS-RDP is working perfectly. Interfaces are assigned correctly and are working. NAT is working (I am behind the firewall writing this). WebGUI is on a non-standard port and packets are NOT being forwarded to the webserver… no idea why =(.

EDIT: added dmesg from last reboot in a file.

dmesg.txt