Allowing HTTPS 443 traffic only - not working

automatted

@johnpoz said in Allowing HTTPS 443 traffic only - not working:

@automatted said in Allowing HTTPS 443 traffic only - not working:

Is there anything else that needs to be done?

Show us the actual rules. If you were trying to access this box from say your lan with the default any any rules you would be able to access it just fine, as long as it uses pfsense IP in the vlan as its gateway to get back to you.

I'm not trying to access the box (I can access it fine through MS RDP 3389 since that port is open as well thats not an issue). the box itself needs to access https websites only but opening port 443 doesnt allow that to work.

KOM

So then look at your firewall log and see what's being blocked on that vlan. Are you blocking DNS as well?

But opening port 443 for HTTPS doesnt allow HTTPS websites to load (browser) or be pinged.

Ping aka ICMP:EchoRequest is not a tcp protocol and does not use port 443.

johnpoz

Well you would also need dns to be able to resolve https://www.something.com

And yeah trying to ping www.something.com not going to work either without icmp being allowed, and being able to resolve it unless your just wanting to ping the IP directly. Then you only need to allow icmp..

automatted

Heres a screenshot of the rules on that VLAN and yes I know some are disbaled for now but thats not the issue.

as you can see I have an allow 443 rule for the IP/alias I want to access HTTPS


johnpoz

And there are ZERO hits on that current rule.. So no rule never triggered... What is in your camserv alias table? Look under diag

And I guess hitting an IP, and not trying to resolve anything. Since you are not allowing dns when you had hits on your https rule

automatted

@johnpoz the alias is just one single IP

when the alow all rule for that alias is enabled as it is now, HTTPS loads fine. when I disable that rule and enable the port 443 rule - HTTPS does not work

so what am I missing? Do I need to do something on the WAN?

Derelict

Show the rule that DOES NOT work.

Show the contents of the alias.

Explain exactly where you are testing from, testing to, and exactly how you are testing.

johnpoz

well when you have an ANY rule dns works for starters ;)

automatted

@Derelict said in Allowing HTTPS 443 traffic only - not working:

Show the rule that DOES NOT work.

Show the contents of the alias.

Explain exactly where you are testing from, testing to, and exactly how you are testing.

The rule that does not work is shown above, its the 3rd one down.

The alias only has one IP of the same VLAN

I am testing from the IP in the alias by opening a browser and going to any HTTPS website

automatted

@johnpoz said in Allowing HTTPS 443 traffic only - not working:

well when you have an ANY rule dns works for starters ;)

yes the allow any rule allows https to work, but why does the 443 onlny rule not allow it to work, do I need to allow something else?

Derelict

DNS is TCP/UDP port 53.