How to keep the webserver can be accessed from the internet?

lordfurqon · Apr 7, 2017, 5:50 PM

My first time using pfsense. I did a simulation using vmware, like this topology:

WAN –> NAT (wifi)
LAN --> 192.168.200.1/24

webserver1 --> 192.168.200.2/24
webserver2 --> 192.168.200.3/24

after I do the scanning of webserver1 and 2 use the following nmap to see which ports are open:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-07 10:02 GMT+7
Nmap scan report for 192.168.200.2
Host is up (0.00014s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
MAC Address: 00:50:56:24:89:0B (VMware)

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-07 10:02 GMT+7
Nmap scan report for 192.168.200.3
Host is up (0.00014s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
MAC Address: 00:50:56:33:49:04 (VMware)

I want to close a port other than port 80, 443 and 53. I configure the firewall to block the port on the LAN but still not closed after the scan again.

I scan again

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-07 10:30 GMT+7
Nmap scan report for 192.168.200.2
Host is up (0.00014s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
MAC Address: 00:50:56:24:89:0B (VMware)

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-07 10:30 GMT+7
Nmap scan report for 192.168.200.3
Host is up (0.00014s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
MAC Address: 00:50:56:33:49:04 (VMware)

still no ports are closed

Thank you please help.

pfBasic · Apr 7, 2017, 5:42 PM

Create a Port alias = 53, 80, 443

Create the following firewall rule for each webserver, or create an alias that includes both webservers.

lordfurqon · Apr 7, 2017, 6:28 PM

@pfBasic:

Create a Port alias = 53, 80, 443

Create the following firewall rule for each webserver, or create an alias that includes both webservers.

I tried to make a rule to close the port 21 servers 192.168.200.3

I try to scan 192.168.200.3

port 21 is still open
please correct and help, what perhaps I am wrong configuration?

johnpoz · Apr 7, 2017, 6:25 PM

Where are you scanning from? You understand pfsense has zero to do with communication between webserver 1 and 2.. They are on the same network.

Rules are evaluated top down as the traffic enters an interface. So if you want to stop something on the lan from talking to dmz or wan/internet then sure lan is the place to put them. But its top down, first rule to fire wins - no other rules are evaluated.

If you were scanning from WAN to lan.. Al traffic would be blocked out of the box.. Where are you scanning from exactly to where?

lordfurqon · Apr 7, 2017, 6:31 PM

@johnpoz:

Where are you scanning from? You understand pfsense has zero to do with communication between webserver 1 and 2.. They are on the same network.

Rules are evaluated top down as the traffic enters an interface. So if you want to stop something on the lan from talking to dmz or wan/internet then sure lan is the place to put them. But its top down, first rule to fire wins - no other rules are evaluated.

If you were scanning from WAN to lan.. Al traffic would be blocked out of the box.. Where are you scanning from exactly to where?

I scan in one network with the webserver 192.168.200.3

pfBasic · Apr 7, 2017, 6:33 PM

Try something like this to scan your WAN ports
https://www.grc.com/x/ne.dll?bh0bkyd2
Click "Proceed" then click "All Service Ports" Right now, unless you've written rules on WAN, they will all be closed.

You'll need to write rules on WAN to open the specific ports you need to access your webservers.
Write the rules you need then rescan and you will see them open.

pfBasic · Apr 7, 2017, 6:38 PM

Read this:
https://calvin.me/port-forward-web-servers-in-pfsense-2/

lordfurqon · Apr 7, 2017, 6:49 PM

@pfBasic:

Try something like this to scan your WAN ports
https://www.grc.com/x/ne.dll?bh0bkyd2
Click "Proceed" then click "All Service Ports" Right now, unless you've written rules on WAN, they will all be closed.

You'll need to write rules on WAN to open the specific ports you need to access your webservers.
Write the rules you need then rescan and you will see them open.

rule on WAN

The scanning results

NAT configuration through the WAN interface of the free wifi. and pfsense I run in vmware.

johnpoz · Apr 7, 2017, 7:02 PM

@lordfurqon:

Pfsense has ZERO to do with those webservers talking to each other.

lordfurqon · Apr 7, 2017, 8:18 PM

@pfBasic:

Read this:
https://calvin.me/port-forward-web-servers-in-pfsense-2/

I followed the tutorial so 192.168.200.3 accessible to the public, but instead can not access public 192.168.200.3.
if there is something wrong with my configuration? please correct

lordfurqon · Apr 7, 2017, 8:21 PM

@johnpoz:

@lordfurqon:

Pfsense has ZERO to do with those webservers talking to each other.

Okay, I understand. thank you.
but I still have not read webserver public :D

johnpoz · Apr 7, 2017, 8:30 PM

Allowing access to pfsense web gui from the public internet is a BAD idea.. even if you change the port.

If you want your webservers to be available behind pfsense that would be a port forward.

Derelict · Apr 7, 2017, 8:30 PM

Source address WAN net is not the internet, it is the subnet of the WAN interface. Source any is the internet.

And the destination should be the INSIDE ADDRESS of the port forward. The REAL ADDRESS of the server, such as 192.168.200.3.

lordfurqon · Apr 8, 2017, 1:27 AM

@johnpoz:

Allowing access to pfsense web gui from the public internet is a BAD idea.. even if you change the port.

If you want your webservers to be available behind pfsense that would be a port forward.

yes I just tried that a publicly accessible webserver

Derelict · Apr 8, 2017, 4:44 AM

I merged these. Same topic. Also moving to NAT.

johnpoz · Apr 8, 2017, 10:19 AM

Did you forward the ports from the nat router in front of pfsense? Pfsense can not forward something that never gets to it..

If you can not figure what your doing wrong - look over the troubleshooting doc..
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

If your trying to simulate coming from the internet by coming from the wan that is rfc1918.. Your going to have to make sure your uncheck block rfc1918 on the wan interface..

lordfurqon · Apr 8, 2017, 10:56 AM

@Derelict:

I merged these. Same topic. Also moving to NAT.

there a solution?

lordfurqon · Apr 8, 2017, 11:01 AM

@johnpoz:

Did you forward the ports from the nat router in front of pfsense? Pfsense can not forward something that never gets to it..

If you can not figure what your doing wrong - look over the troubleshooting doc..
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

If your trying to simulate coming from the internet by coming from the wan that is rfc1918.. Your going to have to make sure your uncheck block rfc1918 on the wan interface..

OK I will try it