Configuring pfsense to be able to access a LAN VM from the internet



  • Hello fellow pfsense users!

    What I am trying to achieve seems rather simple but I am missing some fundamentals to properly understand the topic and most of all, keep things secure and safe.

    I have several VM's running on a proxmox server (KVM).  Most (not all) of them run local instances of apache for web services.  Everything is configured for local (LAN) access only since I never got needs to be able to access anything from the internet.  To access whatever's running on VM1 (from LAN only!), I simply launch a web browser and type for example to login to my coppermine gallery:

    https://virtual-machine-fqdn/whatever/login.php

    Now to my specific questions:

    1) If all of the web services were running on the same apache server (and the same VM), I would use VHOSTS and I would port forward 443 or 80 from the web to the local VM (I guess?).  But since there are several servers on LAN having port 80 & 443 opened, how would outsiders access a specific server on my LAN?

    For example if my storage server is storage01, and my coppermine gallery is gallery01, would accessing the coppermine gallery work like this (assuming gallery01 can serve https content)?

    https://my-domain.com/gallery01/login.php

    In other words, if I had 2 servers with port 443 opened and I wanted to be able to access one of them from outside, how would pfsense know which server to forward the request to ?

    2) Using "gallery01" as an example, would a simple port forward like this work?

    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP                 NAT Ports
    WAN     TCP         *                     *                 WAN address 80             gallery01                 80
    WAN     TCP         *                     *                 WAN address 443             gallery01                    443

    3) Is https encryption provided by pfsense or by the server behind it?  I assume pfsense only acts as a pass-thru (port forward) and the actual server is responsible for the protocol?

    That should get me going… Thanks!



  • OK according to my quick research, I would need a reverse proxy for the multiple servers behind pfsense ….

    I do not need this at this moment so lets assume I only need to get ONE server visible on the web.

    I tried proceeding with port forward, and in the past for a FTP server it worked, so I thought reusing my NAT and FW rules and just replacing the internal server IP and port ranges but its not working.

    Actually, the incoming connections are being blocked by the firewall

    Aug 7 10:26:12 WAN XXX.XXX.XXX.XXX:3269 YYY.YYY.YYY.YYY:443 TCP:S

    (where XXX=external IP from the internet client, and YYY=my public WAN IP)

    The trigger rules is:  "@149(1460372775) block drop in log quick on em5 reply-to (em5 YYY.YYY.YYY.YYY) inet all label "USER_RULE: Default Deny Rule"

    Attached are my NAT and FW rules.  Spot a problem there??

    EDIT:  Screenshots see post 4


  • LAYER 8 Global Moderator

    "Spot a problem there?? "

    Couple of things, the fact that your hiding your nat IP??  Is this rfc1918 space I have to assume then why are you hiding it??

    Also your dest on your wan rules does not seem to be wan address.. So yeah that is wrong.  But not 100 sure since your also hiding this?  Why would you hide something that said wan address?



  • Thanks for replying!

    What I believe you refer to NAT ip, is the IP blacked out in the NAT screenshot?  That would simply be my local owncloud server (192.168.0.13).  Not sure why I blacked it out, must have been out of the habit of obfuscating details when posting online.

    The Destination on the WAN rule is the IP of the internal owncloud server.  The WAN rule was auto-created by the NAT rule (I selected create a FW rule instead of just "Pass")

    See screenshots





  • LAYER 8 Global Moderator

    well now you have an alias that could be failing.

    This really is clickity clickity..

    I would delete what you have and do a clean setup of the port forward.. If it takes more than 10 seconds to do and get working your doing something wrong!!!  Or the traffic is not even getting to you.  It really is click click..  So your running pfblocker, you running anything like snort?




  • Yep, I must have been doing it right sincce the beginning, but pfblocker having crashed was still blocking incoming connections (still have to be determined why)…

    COmpletely killing pfblocker and rebooting pfsense, then the port forward has been working fine since 4 days now..

    Thanks Johnpoz for pointing out pfblocker in your last post, and thanks for the help!


Log in to reply