Can NAT port 8085 to port 80, but not port 80 itself
-
Hi,
I've setup a NAT rule to forward port 8085 traffic on the pfSense to a internal apache's server port 80. I'm getting exactly what I want when accessing test.domain.com.
But the same rule with port 80 NATed to port 80 (same internal server) does not. I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.
The likely culprit I thought was the pfSense GUI, but the pfSense configurator is port 8080, https is selected. It should not respond to port 80, should it?
-
Check Disable webConfigurator redirect rule in System > Advanced
-
Check Disable webConfigurator redirect rule in System > Advanced
I did - checked or unchecked, same behavior
-
I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.
Where are you trying to access the server from, the LAN or from the WAN side?
-
I was trying to access the web page from outside the WAN, not the LAN.
As I said, port 8085 to LAN machine port 80 worked perfectly, it's port 80 to LAN port 80 that didn't. The rules are identical, except for the port
-
NEW INFO
I realized something else - I have a Virtual IP on the WAN side. When the rule is set to "destination IP - all" (i.e. all IPs defined on WAN, as opposed to a specific one), the rule works fine for the main IP but not for the Virtual IP I setup.
In other words, http://test.domain.com is NATed correctly, but not http://testvirtualip.domain.com
(test and testvirtualip are DNS entries for the main WAN IP and virtualip on WAN respectively)
Is this normal? (and if so, why?) Or is this a bug that should be reported?
Finally, I realize 1:1 NAT will work (and does work, I checked), is that the only way for my scenario to function properly? Is there a downside to using 1:1 NAT? Not that I see any, but I'm less familiar with it than I am with normal port forwarding.
-
Post screenshots of your NAT and firewall rules. Sounds like you may have a rule mismatch or maybe you have a block rule positioned above your allow rule(s)? Rules are applied top-down.
-
Thank you for the offer - I ended up going with Virtual IPs anyways and 1:1 NAT, and that worked. Can`t figure out why using normal port forward didn't, but I can't go back now (unless I had a good reason to)
-
Hello.
Got similar problem.pfSense2.3.3-RELEASE-p1 (i386) on public IP.
WWW serwer in LAN (192.168.1.6)If I use NAT from WAN:82 (or any other port) to port 192.168.1.6:80 - everything works OK.
If I want use NAT from WAN:80 to 192.168.1.6:80 it doesn't work - no connection, no errors in logs.
NAT from WAN:443 to 192.168.1.6:443 works OK, every other ports (SSH, etc.) - too.
Only 80 - not.No service on pfsense uses port 80, I'm sure. Web panel after installation was on port 80, maybe is blocked all the time for some reason?
Thank You in advance.
Radek
