How to forward port 80 and 443 on pfSense to a (internal) nginx webserver?

CodeNinja

Yesterday we did a "big bang" firewall switch in our company. Our new firewall is a pfSense server.
Lets say our external ip is 84.1.1.1, pfSense is 192.168.1.1 and our web server ip is 192.168.1.2.

---

After we made the "big switch", the pfSense interface was responding on https://84.1.1.1, this is not intended as we want to use https://84.1.1.1 (port 443) for our web server. For this reason i changed the pfSense port from 443 to 444 which "solved" this issue as port 443 is "free" for other services now.

We won't allow access to the pfSense interface from our external ip at all but that is another problem which is off topic.

---

Now i wan to forward port 443, 80 (and in future some more) to servers in our network. For this i first want to explain how i configured the WAN connection as i noticed something.

I tried to ping (with the pfSense ping diagnostic tool) from WAN1 (our WAN) to the web server. This did not work which means that my port forwarding also cant work at all. I think that pfSense tries to resolve this ping request via its gateway so i tried to set the gateway of WAN1 to none and from this moment on i can ping the webserver from WAN1 (via the pfSense ping diagnose tool).

Question: Do i need to set a Gateway to our WAN1? I suppose yes? And if yes, do i need to make some exclusions for internal network somewhere? Just as extra info, maybe its required, we have a static IP which directly hangs on pfSense...

pfSense configuration

WAN INTERFACE
	<wan>
		<if>igb0</if>
		<descr><![CDATA[WAN1]]></descr>
		<alias-address></alias-address>
		<alias-subnet>32</alias-subnet>
		<spoofmac></spoofmac>
		<enable></enable>
		<ipaddr>84.1.1.1</ipaddr>
		<subnet>30</subnet>
		<gateway>WAN1GW</gateway>
	</wan>

GATEWAY
	<gateways>
		<defaultgw4>WAN1GW</defaultgw4>
		<defaultgw6></defaultgw6>
		<gateway_item>
			<interface>wan</interface>
			<gateway>84.1.1.2</gateway>
			<name>WAN1GW</name>
			<weight>1</weight>
			<ipprotocol>inet</ipprotocol>
			<descr><![CDATA[WAN1 gateway]]></descr>
		</gateway_item>
	</gateways>
	
OUTBOUND NAT RULES
	<nat>
		<outbound>
			<mode>advanced</mode>
			<rule>
				<source>
					<network>10.128.10.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr><![CDATA[Auto created rule for ISAKMP - AXN_INTRA to WAN1]]></descr>
				<target></target>
				<targetip></targetip>
				<targetip_subnet></targetip_subnet>
				<interface>wan</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<staticnatport></staticnatport>
				<disabled></disabled>
				<destination>
					<any></any>
				</destination>
				<dstport>500</dstport>
				<created>
					<time>1589543460</time>
					<username><![CDATA[Manual Outbound NAT Switch]]></username>
				</created>
				<updated>
					<time>1591883208</time>
					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
				</updated>
			</rule>
			<rule>
				<interface>wan</interface>
				<source>
					<network>10.128.11.0/24</network>
				</source>
				<dstport>500</dstport>
				<target></target>
				<destination>
					<any></any>
				</destination>
				<staticnatport></staticnatport>
				<descr><![CDATA[Auto created rule for ISAKMP - AXN_SRV to WAN1]]></descr>
				<created>
					<time>1589888715</time>
					<username><![CDATA[Manual Outbound NAT Switch]]></username>
				</created>
				<disabled></disabled>
			</rule>
			<rule>
				<source>
					<network>10.128.20.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr></descr>
				<target></target>
				<targetip></targetip>
				<targetip_subnet></targetip_subnet>
				<interface>wan</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<destination>
					<any></any>
				</destination>
				<updated>
					<time>1590582795</time>
					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
				</updated>
				<created>
					<time>1590582795</time>
					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
				</created>
			</rule>
			<rule>
				<source>
					<network>10.128.10.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr></descr>
				<target></target>
				<targetip></targetip>
				<targetip_subnet></targetip_subnet>
				<interface>wan</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<destination>
					<any></any>
				</destination>
				<updated>
					<time>1591883222</time>
					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
				</updated>
				<created>
					<time>1591883222</time>
					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
				</created>
			</rule>
			<rule>
				<source>
					<network>10.128.12.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr><![CDATA[Default NAT rule for axn_cloud]]></descr>
				<target></target>
				<targetip></targetip>
				<targetip_subnet></targetip_subnet>
				<interface>wan</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<destination>
					<any></any>
				</destination>
				<created>
					<time>1589896652</time>
					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
				</created>
				<updated>
					<time>1590140198</time>
					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
				</updated>
			</rule>
			<rule>
				<source>
					<network>10.128.11.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr><![CDATA[Default NAT rule for axn_srv]]></descr>
				<target></target>
				<targetip></targetip>
				<targetip_subnet></targetip_subnet>
				<interface>wan</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<destination>
					<any></any>
				</destination>
				<created>
					<time>1589888715</time>
					<username><![CDATA[Manual Outbound NAT Switch]]></username>
				</created>
				<updated>
					<time>1590140250</time>
					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
				</updated>
			</rule>
		</outbound>
	</nat>

---

About the forwarding itself, i configured it like this:

as i set Filter rule association to Add associated filter rule during the creation of the Port forward, pfSense automatically created the corresponding/required firewall rule on the WAN1 port.

Question: Do i need some additional configurations to forward port 443 and 80 near the configuration i already did? (the port forward and creating the required firewall rules)

DaddyGo

@CodeNinja said in How to forward port 80 and 443 on pfSense to a (internal) nginx webserver?:

just one comment and one question at a time:

Why don't you put the web server in a "internal protected zone" and run a WAF in front of it (https://www.modsecurity.org/)

note1: you can put the pfSense port anywhere, it is not advisable to keep it in the lower range (444) put it in the custom range 56443, 52443 or anywhere
(scanners are lazy looking only at lower port ranges, which are trivial)

note2: you "blackout" things that are not relevant, like

it remains visible:

CodeNinja

@DaddyGo

Why don't you put the web server in a "internal protected zone" and run a WAF in front of it (https://www.modsecurity.org/)

This is just an example setup. When this works i will set a proxy in the DMZ which routes traffic to the correct firewall. Though i will definitely take a look at WAF, i don't know this.

note1: you can put the pfSense port anywhere, it is not advisable to keep it in the lower range (444) put it in the custom range 56443, 52443 or anywhere

(scanners are lazy looking only at lower port ranges, which are trivial)

Thanks, i updated the port. I will also disable external access to pfSense in nearby future so its not available from the internet anymore.

it remains visible:

Damn, how stupid from me, i changed it. Could you please remove the image from your post as well? thanks in advance!

just one comment and one question at a time:

Do i need to remove this one and post a new one? or is it fine for this time?

I figured out that only forwarding port 443 and 80 is not working as the OpenVPN port forwarding works fine!

DaddyGo

@CodeNinja

the proxy would have been my next suggestion

CodeNinja

@DaddyGo

the proxy would have been my next suggestion

Ok, thanks but this has nothing to do with the problem i have doesn't it?
I mean with or without proxy, port 443 should be able to be forwarded?

Only port 443 does not work, our OpenVPN server for example uses a port in the 2000 and that forward works fine as the clients are connection without any issue

DaddyGo

@CodeNinja

you understand exactly

if you use an internal web server, why control the ports?
what does "internal" mean to you? (intranet)

443 can be said to be a very well known port

for example, I use a reverse proxy for certain web or other web-based services (IceCast, etc.)

CodeNinja

@DaddyGo
Ok, i understand what you mean. Maybe internal should not be there as the webserver should be accessible from the internet. I ment that its a server in our own network.

Unfortunately i cannot update my question:
-> Post content was flagged as spam by Akismet.com

DaddyGo

@CodeNinja

in this case, DMZ + WAF will be your good friend
something like this that I can suggest:

• OS: Debian 10.x (Buster) 64bit
• Apache Worker, factory package
• Mod Security apache module with OWASP rules, factory package
• PHP-FPM 7.3 or rather 7.4 if it goes with everything but definitely 1 version
• PHP can only write where we allow it, ie it stays on the www-data user
• firewall inbound to CF IPs is limited to http and https, just as SSH access is also severely limited (http can be completely
disabled by likely, CF solves http-> https redirect)
• SSH access is password protected + Cert.
• firewall to the outside, by default everything that is needed (external APIs and their counterparts) is enabled separately
• hosting-type access via SFTP, SSH, although shell access may be possible

CF = CloudFlare (https://www.cloudflare.com/plans/)

edit: we have had such web servers for years, nothing is secure, but we try to make it that way