[RESOLVED] https through virtual IP
-
Hi, I'm runing ver 2.0.rc3
I have created a virtual IP which I wish to handle an https connection. The https connection to the default wan address is directed to a different internal machine.
In NAT I have an Inbound rule
WAN TCP/UDP * * 200.XXX.XXX.163 443 (HTTPS) WebServer *200.XXX.XXX.163 is the virtual IP.
The log show a:
block Sep 1 19:04:43 LAN 192.168.0.XXX:443 190.XXX.XXX.221:2124 TCP:SAand the detail of the block states:
@1 scrub in on em0 all no-df fragment reassemble
@1 block drop in log all label "Default deny rule"My LAN rules are really relaxed for testing
Pass * LAN net * * * * noneI really rather not add a 1:1 rule with the webserver and the virtual IP.
Can someone give me a clues as to what am I missing because well the connection is not working.
Thanks.
-
Hmmm… I guess this has nothing to do with https as I just tried it with port 80 and same problem, so it must be something with the virtual IP that I don't understand.
-
can you give screenshots and remove your public ip information
-
Sure,
Here they are.My goal is simple.
I have a two web servers.
One was dedicated only for http
The other for https
But I want to have a second https server
For testing purposes, I simply set the http server to also serve https.
Internally it all works just fine.
I want the second https (the newer one) to be accessible from outside. So I created the x.x.x.163 ipalias so I could direct the https traffic to that server, while using only one nic that is hooked up to the external router.After it didn't work I also created a nat entry for port 80 on that virtual IP to see if it was an SSL issue. I got the same result, the same block, except that it says port 80 in the log.
Thanks,
-
and the other two that didn't fit in the post.
-
try without destination alias
how do you have public ip's? are you having continous block or something else? -
Ok, I changed the entry to replacing the alias with the Ip of the server.
Same result.
Yes, it's a block. (162-165) And I'm reaching the firewall from the outside wold with the .163 because I get the Firewall block entries at the exact time I try to access from the outside world. The .162 is the regular address. I used the 163 in the past (hooked up to another physical firewall), I stopped using it for a while, it is possible that the provider changed something, but I doubt it.
I haven't posted the entry itself in NAT. Here is the screenshot of that.
-
It's fixed!
Thank you, when you asked about the block, I kept thinking, so I went and rechecked everything, duhhhh, how stupid of me, the subnet mask was WRONG.
Geez,
Thank you!
-
It's ok, but you're showing again your public ip's
-
So I set everything back to how I wanted it originally, and for the record having the destination Alias works fine.
Thanks for the Public/IP warning. I'll take it out again. Thanks.
Is there a way one can mark threads as "Answered" here?
-
edit your first post subject with [SOLVED]
-
Nevermind, it isn't solved. Having the same problem again. I have no clue as to why it started working and after a while it stopped working.
Any ideas of what else too look for?
-
Well I Fixed it again.
I think I found a bug.
Whenever you make and changes to the System Advanced Firewall/NAT window, it changes the IP Alias to Network, rather than the Single address, which of course breaks this. Uggh…
Anyways, messing around the screen, I can't remember what the defaults where for this was, can someone remember me which ones should be check?
Disable NAT Reflection for port forwards:
Disable NAT Reflection for 1:1 NAT :
Automatically create outbound NAT rules...:Thanks,
-
I was wrong, changes in the System Advanced screen do not change the label Network. The label Network is changed whenever you use anything other than a /32 mask.
It turns out that it works just fine with the mask /32
Whenever I re-save the Virtual IP it starts working again.
But I just noticed something else I got the log entry:
kernel: arp: 00:1e:58:39:1a:1e is using my IP address 200.XXX.XXX.163 on vr0!So I guess the provider did change something and that IP is assigned to something else, that would explain the weird erratic behavior. The provider was absorbed by another provider, so I think that's the origin of the problem.
Anyhow, thanks and please do let me know what the defaults are for:
Disable NAT Reflection for port forwards:
Disable NAT Reflection for 1:1 NAT :
Automatically create outbound NAT rules…: -
Disable NAT Reflection for port forwards:
Disable NAT Reflection for 1:1 NAT :
Automatically create outbound NAT rules…:I'm not sure if i have default settings, but working settings: check, check & uncheck
-
Thanks!