Allowing HTTPS 443 traffic only - not working
-
I have a server on a VLAN that has the default block all rule enabled. I want it to only have FTP access and HTTPS website access.
Opening port 21 and 1025-* for FTP with a TCP allow rule works great.
But opening port 443 for HTTPS doesnt allow HTTPS websites to load (browser) or be pinged.
Is there anything else that needs to be done?
-
@automatted said in Allowing HTTPS 443 traffic only - not working:
Is there anything else that needs to be done?
Show us the actual rules. If you were trying to access this box from say your lan with the default any any rules you would be able to access it just fine, as long as it uses pfsense IP in the vlan as its gateway to get back to you.
-
@johnpoz said in Allowing HTTPS 443 traffic only - not working:
@automatted said in Allowing HTTPS 443 traffic only - not working:
Is there anything else that needs to be done?
Show us the actual rules. If you were trying to access this box from say your lan with the default any any rules you would be able to access it just fine, as long as it uses pfsense IP in the vlan as its gateway to get back to you.
I'm not trying to access the box (I can access it fine through MS RDP 3389 since that port is open as well thats not an issue). the box itself needs to access https websites only but opening port 443 doesnt allow that to work.
-
So then look at your firewall log and see what's being blocked on that vlan. Are you blocking DNS as well?
But opening port 443 for HTTPS doesnt allow HTTPS websites to load (browser) or be pinged.
Ping aka ICMP:EchoRequest is not a tcp protocol and does not use port 443.
-
Well you would also need dns to be able to resolve https://www.something.com
And yeah trying to ping www.something.com not going to work either without icmp being allowed, and being able to resolve it unless your just wanting to ping the IP directly. Then you only need to allow icmp..
-
Heres a screenshot of the rules on that VLAN and yes I know some are disbaled for now but thats not the issue.
as you can see I have an allow 443 rule for the IP/alias I want to access HTTPS
image url) -
And there are ZERO hits on that current rule.. So no rule never triggered... What is in your camserv alias table? Look under diag
And I guess hitting an IP, and not trying to resolve anything. Since you are not allowing dns when you had hits on your https rule
-
@johnpoz the alias is just one single IP
when the alow all rule for that alias is enabled as it is now, HTTPS loads fine. when I disable that rule and enable the port 443 rule - HTTPS does not work
so what am I missing? Do I need to do something on the WAN?
-
Show the rule that DOES NOT work.
Show the contents of the alias.
Explain exactly where you are testing from, testing to, and exactly how you are testing.
-
well when you have an ANY rule dns works for starters ;)
-
@Derelict said in Allowing HTTPS 443 traffic only - not working:
Show the rule that DOES NOT work.
Show the contents of the alias.
Explain exactly where you are testing from, testing to, and exactly how you are testing.
The rule that does not work is shown above, its the 3rd one down.
The alias only has one IP of the same VLAN
I am testing from the IP in the alias by opening a browser and going to any HTTPS website
-
@johnpoz said in Allowing HTTPS 443 traffic only - not working:
well when you have an ANY rule dns works for starters ;)
yes the allow any rule allows https to work, but why does the 443 onlny rule not allow it to work, do I need to allow something else?
-
DNS is TCP/UDP port 53.