WebServers behind two pfSenses do not work
-
Guys,
This is my scenario. Please note IPs are changed for security purposes.
This is my topology:
DATA CENTER
–---------
10.20.0.0/23 - servers (netmask 255.255.254.0)
10.20.0.254 - pfsense 2.2.2-RELEASEsuppose a web server with IP 10.20.1.6 under Linux/Apache
OFFICE
10.20.4.0/24 - desktops (netmask 255.255.255.0)
10.20.4.254 - pfsense 2.2.6-RELEASEsuppose a desktop with IP 10.20.4.100 with Windows
DATA CENTER and OFFICE are both connected through a LAN-to-LAN link.
When connecting from the OFFICE into the DATA CENTER, everything works except HTTP (port 80).
I have been battling with this for days without any clues as to why this is happening. If I do a tcpdump on the webserver hosted in the datacenter I can see traffic from the host at 10.20.4.100, but when capturing those packages on both pfSense firewalls all of them are 0 in length.
If I try ping, traceroute, and everything else targeting that server, it all works. I can SSH to that host and all. But no HTTP.
If I use any machine at the DATA CENTER, I can successfully connect and browse the server at 10.20.1.6.
Thoughts?
-
Thoughts?
You should try posting your questions in one of the many support forums that you had to scroll past to get to this General Discussion forum. Try General Questions or NAT.
If you're running pfSense WebGUI on 80/tcp (which is the default), you can't use it's WAN IP address to forward an HTTP server on port 80. Either use a Virtual IP and forward your web server using that, or change the WebGUI port to something other than 80, or access your web server using HTTPS.
-
All is being done locally. This is not for external access.
-
I probably misread your description. When you said that HTTP doesn't work, I assumed you meant that you were trying to connect from an OFFICE computer to a DATACENTER web server, and couldn't connect. Could you elaborate please?
-
I do not realy understand the configuration. Is this a nat ?
Is the pfsense management on port 80 ? -
Yeah I'm not clear on what's the issue either.
-
@KOM:
I probably misread your description. When you said that HTTP doesn't work, I assumed you meant that you were trying to connect from an OFFICE computer to a DATACENTER web server, and couldn't connect. Could you elaborate please?
That is correct. HTTP servers with port 80 at the DATACENTER cannot be accessed from the OFFICE. If I use port 443 on those same servers I can access all of them from the OFFICE.
-
When you say "LAN-to-LAN link." you just mean some form of point to point L2 connection?
So you have an interface on pfsense that you put some transit IP range on - see attached simple drawing.
So you are not natting to this transit? Are you using any transparent proxy on either pfsense on these interfaces? What are the firewall rules on these interfaces on each pfsense, on the transit network, any sort of floating rules? What is the static routes you create on each pfsense for the different networks.. I assume your routing is correct since you say all works other than 80..
Maybe issue with using a proxy, or your natting? Always helps to have the full picture of the setup to try and figure out what is not right..
