WebServer behind PFSsense
-
"People here expect the basic knowledge"
Because your typical user wouldn't be running pfsense normally. So you would expect that someone running a firewall distro would have some basic understanding from a networking/firewall point of view. Or why would thy have picked something like pfsense, and not just run your typical user off the shelf soho router. Where they plug shit in and its all just PFM to them.
We happy to help, but really not too many people here going to have the desire to create step by step following the bouncing ball how-to's for someone that doesn't get the basics.. You would also hope people wanting to take on learning would be able to do their own research on the basics, etc.
-
In order to be efficient about solving your problem. We need pics of your settings and rules to show you where you went wrong. We can't predict what you've done right or wrong without seeing for ourselves. Setup a test router for the class and learn, or not.
https://yourRouter/firewall_nat.php
https://yourRouter/firewall_rules.php?if=wan
https://yourRouter/firewall_rules.php?if=lan
https://yourRouter/interfaces.php?if=wan
https://yourRouter/interfaces.php?if=lan
https://yourRouter/system_gateways.php
https://yourRouter/services_unbound.phpMy website and other services work beautifully through PFsense.
-
@johnpoz: My intent wasn't to open a discussion about having or not a basic knowledge. If this marks, where assumed in a personal way, I certainly Apologyze. It wasn't my intent in any matter. I'm as well on other IT communities, actively sharing my experience and Knowledge with others, even there is low Basic Knowledge. I'm as you said John, more than happy to help. Hope this was clarifying my position about this remark, who, and I repeat, wasn't personal at all, and I apologyze again if it was assumed as such. And I thank all of you in advance for sharing your experience and Knowledge with all in this community.
@corvey: Thank you for your reply as well. Indeed you can't predict and supporting a started project (at least in my experience), it's a very hard thing, particularly if you're not on place. Your Suggest to share Print Screen is a warmly welcome, so here (starting from Scratch, with minor changes as https port form 443 to 8443 for WebGUI) the ScreenShots in your request order, in hope this will clarify ma actual PFSesnse config situation.
About your PFSense Config. with your Website and other Services, what was you experience untill now, concerning updates, maintaining, etc.?
![Screen Shot 2018-03-27 at 10.24.23.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.24.23.png)
![Screen Shot 2018-03-27 at 10.24.23.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.24.23.png_thumb)
![Screen Shot 2018-03-27 at 10.26.19.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.26.19.png)
![Screen Shot 2018-03-27 at 10.26.19.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.26.19.png_thumb)
![Screen Shot 2018-03-27 at 10.32.05.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.05.png)
![Screen Shot 2018-03-27 at 10.32.05.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.05.png_thumb)
![Screen Shot 2018-03-27 at 10.32.38.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.38.png)
![Screen Shot 2018-03-27 at 10.32.38.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.38.png_thumb)
![Screen Shot 2018-03-27 at 10.33.03.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.33.03.png)
![Screen Shot 2018-03-27 at 10.33.03.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.33.03.png_thumb)
![Screen Shot 2018-03-27 at 10.34.15.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.34.15.png)
![Screen Shot 2018-03-27 at 10.34.15.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.34.15.png_thumb)
![Screen Shot 2018-03-27 at 10.35.45.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.35.45.png)
![Screen Shot 2018-03-27 at 10.35.45.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.35.45.png_thumb) -
So you have no port forward setup.. And no firewall rules on wan so how do you expect to get to this server behind pfsense?
Your wan is rfc1918 - So if you want say internet to get to this server your going to have to port forward at the nat device in front of pfsense.
So you have not even started anything and you want someone to hold your hand and draw you pictures? And don't even know the basic concept of port forwarding?
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
Also 127.3 ??? So your using that to obfuscate your public? Then why would you x.x the last part???
NetRange: 127.0.0.0 - 127.255.255.255
CIDR: 127.0.0.0/8
NetName: SPECIAL-IPV4-LOOPBACK-IANA-RESERVEDSorry but 127.anything is not some address you can use to get to some webserver other than it running locally on the same machine.
-
Yeah.. I told I'm starting up from Scratch.
So here are the first configurations made on same request as corvey Asked for:https://yourRouter/firewall_nat.php
https://yourRouter/firewall_rules.php?if=wan
https://yourRouter/firewall_rules.php?if=lan
https://yourRouter/interfaces.php?if=wan
https://yourRouter/interfaces.php?if=lan
https://yourRouter/system_gateways.php
https://yourRouter/services_unbound.phphope we can fix this issue together, so I can learn something from and understanding where I made my mistakes.
Thanks again guys…PS: Was remembering wrong the Static IP,, It beginns with 213.3..*
![Screen Shot 2018-03-27 at 15.35.58.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.35.58.png)
![Screen Shot 2018-03-27 at 15.35.58.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.35.58.png_thumb)
![Screen Shot 2018-03-27 at 15.36.28.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.36.28.png)
![Screen Shot 2018-03-27 at 15.36.28.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.36.28.png_thumb)
![Screen Shot 2018-03-27 at 15.39.54.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.39.54.png)
![Screen Shot 2018-03-27 at 15.39.54.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.39.54.png_thumb)
![Screen Shot 2018-03-27 at 15.41.10.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.10.png)
![Screen Shot 2018-03-27 at 15.41.10.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.10.png_thumb)
![Screen Shot 2018-03-27 at 15.41.35.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.35.png)
![Screen Shot 2018-03-27 at 15.41.35.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.35.png_thumb)
![Screen Shot 2018-03-27 at 15.42.12.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.12.png)
![Screen Shot 2018-03-27 at 15.42.12.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.12.png_thumb)
![Screen Shot 2018-03-27 at 15.42.52.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.52.png)
![Screen Shot 2018-03-27 at 15.42.52.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.52.png_thumb) -
Your settings are pretty close. Just swap out the red for green on the lan. If you want to use a FQDN for your internal URL fill out the host override setting or else just use the IP directly. I cut and pasted your answers for future reference.
After that, make sure your modem is set to DMZ for your Pfsense router. Then, go to "canyouseeme.org" and see if you can hit your webserver's port externally to see if it's open.
-
Why are you forwarding dns.. Your running a Name Server? But you only forwarded TCP? Not going to work.. Nor is that need for some webserver to be available to the public.
Rules on your lan?? At A Loss here? Leave the rules on lan at default until you understand what your doing.. Wan net would NEVER be a source of traffic into the lan..
If your public IP is 213.. And your pfsense wan is rfc1918, then you are behind something else doing the NAT.. So yeah step 1 is to make sure whatever traffic you want pfsense to forward actually gets to pfsense. So as mentioned you can put pfsense wan IP into some dmz setting on the nat router in front of of pfsense you need to forward on that device the specific ports you need.
And yes canyouseeme.org will be your friend in checking if these ports your forwarding are open to the internet.
-
John is right, you do not not need DNS rules and probably shouldn't. I didn't touch on that subject because the main goal was to get your web server to work. The RFC_1918 rule should have been left blocked on the WAN from default installation as shown here from my router.
You can read all about that here: https://doc.pfsense.org/index.php/Prevent_RFC1918_traffic_from_leaving_pfSense_via_the_WAN_interface
-
Thanks @johnpoz
Thanks @corveySo Guys, your hints and Feedback , helped me a lot in this configuration, and Finally I get connected. Just some Sites are still "Blocked" as browser notification sais "Connection Refused", But I guess this is more a smaller further point I have to check on my configuraitons.
RFC 1918 and Bogon have been setuped back (as Default), Blocked on WAN. these minor things I couldn't figure out, mostrly because on other post suggestions hint was to disable. But here as well I guess for other reasons.
I can't for the moment access to canyouseeme.org, getting just a Blank site, at the moment I'm posting this.
UPDATE:
Can't Ping -> 8.8.8.8
Can't access on some Site (ex. canyouseeme.org, maas.io)
Can't access on my Site (Private Site with a DNS behind PFSense) -> ERROR MESSAGE: "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname."
Pluggin other Machines on the Network, can't connect (no DHCO offered were recieved)Successfully can Connect to Ubuntu MAAS Region Controller
Can visit some site (google, pfsense, wikipedia)I'll post in a new Reply the actual situation.
-
Without more comments, I'm right if I'm saying, this should be a gateway issue with this Static IP?
I get connected (and Successfully updated PFSense version), but can't get online other machines connected over LAN <-> WAN (inside - outside)![Screen Shot 2018-03-29 at 17.09.23.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.09.23.png)
![Screen Shot 2018-03-29 at 17.09.23.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.09.23.png_thumb)
![Screen Shot 2018-03-29 at 17.12.52.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.12.52.png)
![Screen Shot 2018-03-29 at 17.12.52.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.12.52.png_thumb)
![Screen Shot 2018-03-29 at 17.13.31.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.13.31.png)
![Screen Shot 2018-03-29 at 17.13.31.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.13.31.png_thumb)
![Screen Shot 2018-03-29 at 17.14.21.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.14.21.png)
![Screen Shot 2018-03-29 at 17.14.21.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.14.21.png_thumb)
![Screen Shot 2018-03-29 at 17.15.39.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.15.39.png)
![Screen Shot 2018-03-29 at 17.15.39.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.15.39.png_thumb)
![Screen Shot 2018-03-29 at 17.16.44.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.16.44.png)
![Screen Shot 2018-03-29 at 17.16.44.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.16.44.png_thumb)
![Screen Shot 2018-03-29 at 17.18.16.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.18.16.png)
![Screen Shot 2018-03-29 at 17.18.16.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.18.16.png_thumb)
![Screen Shot 2018-03-29 at 17.20.03.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.20.03.png)
![Screen Shot 2018-03-29 at 17.20.03.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.20.03.png_thumb)