WebServer behind PFSsense



  • Hello folks

    Trinying to configure a small WebServer behind PFSsense.

    • Can Access the WebGUI
    • LAN and WAN Traffic Graph show some movement
    • Interface looks good
    • Gateways Seems to be online

    But I can't access to anything. As well the server Behind PFSense can't connect to Internet.
    I know I made a Mistake, but i can't figure out.

    Any hints?



  • One post is enough to get your question answered.

    https://forum.pfsense.org/index.php?topic=145597.0

    https://forum.pfsense.org/index.php?topic=145599.msg792021#msg792021

    Forward ports 80 and 443 if you are using SSL to the IP address of your webserver.



  • @GianniAlagna:

    As well the server Behind PFSense can't connect to Internet.

    Well, that's glaring problem#1. That's like step#0.  Go through those links given I guess see what's wrong.

    Once you can get out, THEN LAN-to-LAN test the server (not even going through FW), then once that's working THEN do the "make a hole on the FW" or setup DMZ.



  • Provide details of your pfSense LAN config (ip address, netmask), as well as network settings for your web server (IP address, netmask, gateway, DNS)



  • Do you have a gateway for the web server?  If you can get to the pfSense GUI from it but not past it, maybe you just don't have a Gateway?



  • Have you added a NAT rule to allow internet traffic to hit the internal IP?



    1. @Jailer:
      Sorry for Crossposting, Wasn't shure Question was on right place. I'll remove the other on "Installation".
      Concerntint ports 80 & 443 already configures as SSL

    2. @SammyWoo: @KOM: @Stewart
      I'll post configuration Later on (don't know why can't access nor on the modem, nor on the PFSense)

    3. @acascianelli:
      Nope, no NAT configured, referring you to ansered question 2).

    What I'm doing right now: Starting again from Scratch… I'll starting over with you guys!



  • So This is what I'm doing right now in this moment:

    Reste my Modem and Will configure it this way:

    IP: 192.168.1.1 to 192.168.0.1
    Subnet Mask: 255.255.0.0
    Gateway: 192.168.0.1
    DHCP: Disabled

    This is how my intent is to configure PFSense:

    IP (LAN): 192.168.1.1
    Subnet: 255.255.255.0
    Gateway (LAN): 192.168.1.1
    DHCP: Disabled
    IP (WAN): 100.95.76.22
    Gateway (WAN): 100.95.76.21
    DHCP: Disabled
    DNS Server 127.0.0.1, 195.186.4.162, 195.186.1.162
    Admin Access -> TCP Port 8443
    Interfaces -> LAN -> IPv4 Address (Staitg IPv4)-> 192.168.1.1 /24
    Interfaces -> LAN -> IPv4 Upstream gateway -> NONE
    Interfaces -> WAN -> IPv4 Address (Statis IPv4 )-> 100.95.76.22 /24
    Interfaces -> WAN -> IPv4 Upstream gateway -> 100.95.76.22
    Services -> DNS resolver -> Enabled

    Trying as well to configure my Personal Static IP Address (127.3..), but guess I have to redirect form Provider the AAA host to my WAN (hope I'm not wrong)!

    Untill now guess everything looks fine, didn't?



  • Those IPs don't make sense. One glaring error, ANY 192 IP is class C and should have a /24 mask, not /16 as u detailed.

    In general:

    (W1)Modem(L1)–--(W2)pFsense(L2)----(L3)WebServer and other clients.

    W1 IP is provided by ISP.

    L1  maybe selectable/configurable depending exactly what modem is this.  Dumb modem, bridge mode, no NAT here is best. Because pFsense will also be doing NAT and modem doing NAT (double) will induce complications.

    L1 and W2 MUST be on the same subnet. The easiest thing here is to let pFsense to ASK for a W2 IP, but then again depends if the modem will let it.  If you manually configured IP here, once again L! and W2 MUST be on the same subnet.

    L2 and L3, same thing, must be on the same subnet.  Whether you DHCP here or static or a combo.

    After you are all done, web server IP typically will be:

    IP:  same subnet as L2.
    Gateway:  L2.
    DNS:  L2, using pFsense DNS service.

    Subnet, sometimes also segment, is an hard, fixed IP construct, u must adhere to its rules before anything will work.



  • @SammyWoo:

    Those IPs don't make sense. One glaring error, ANY 192 IP is class C and should have a /24 mask, not /16 as u detailed.

    In general:

    (W1)Modem(L1)–--(W2)pFsense(L2)----(L3)WebServer and other clients.

    W1 IP is provided by ISP.

    L1  maybe selectable/configurable depending exactly what modem is this.  Dumb modem, bridge mode, no NAT here is best. Because pFsense will also be doing NAT and modem doing NAT (double) will induce complications. If modem must NAT and by God you must have enough access to this modem to configure port forward for web server hosting to work.

    L1 and W2 MUST be on the same subnet. The easiest thing here is to let pFsense to ASK for a W2 IP, but then again depends if the modem will let it.  If you manually configured IP here, once again L! and W2 MUST be on the same subnet.

    L2 and L3, same thing, must be on the same subnet.  Whether you DHCP here or static or a combo.

    After you are all done, web server IP typically will be:

    IP:  same subnet as L2.
    Gateway:  L2.
    DNS:  L2, using pFsense DNS service.

    Subnet, sometimes also segment, is an hard, fixed IP construct, u must adhere to its rules before anything will work.



  • Thanks for Reply SammyWoo…

    Maybe explaining you, what my intent ist, would be the help you help me out :D

    So I got a Fix IP by Provider (127.3..), my plan is to forward all my services over this 127th Address.
    My intend is to Introduce PFSense to help me our protecting my Stuff from External. Said that...

    What would you suggest to configure, and very appreciated in HOW (Please Step by Step, so to improove my learning curve, cause it's very interesting firewalling), my services.
    Further to know, I got an Ubuntu MAAS Structure behind PFSense (as a Kind of Very Small but anyway advanced Personal Cloud).

    I can Follow your Arguments, just partly...
    Thank you so much...

    I think acutally in a graphcal situation as this one

    Internet <-> (WAN) - Modem - (LAN) [1 LEVEL]
                                                        |
                              |–------------------|
                              |
                        (WAN) - PFSense - (LAN) [1 LEVEL]
                                                        |
                              |–------------------|
                              |
                        (LAN) - WebServer          [3 LEVEL]

    Is that Right?

    If the Graphical Situation above is right, SammyWoo, than Is guess to have following Configurations:
    W1 = 213.3..* (External Static IP)
    L1  = 192.168.0.1

    W2 = 100.95.76.22
    L2  = ??

    L3  = ??
    I can Enable Bridge Modus on  Modem (PPPoE)… so Bridge Modus, OK.



  • @GianniAlagna:

    HOW (Please Step by Step, so to improove my learning curve

    Ah, problem is, this forum is really specifically about pFsense, once in a while members will throw you a couple of pieces to unstuck you but step-by-step basic IP stuff folks here kinda expect you to already come with that knowledge.

    If you already have a LAN, with laptops, WIFI blah-blah you already have the basic infrastructure in.  All (easy to say) you have to do is:

    1. Insert a box, running web serving software and give it a static IP.
    2. Which ever box is doing NAT, you need to configure PORT FORWARD on it. In this sense pFsense is no different than Linksys router/firewall.
    3. If that 127 address the ISP gave you is static you are all set, but if it's dynamic then most people want to setup a DDNS service with somebody. Registering for DDNS can be a bit confusing at first.

    Because of 2. I don't know whether you will be able to get all the basic stuff from this site.



  • Thx for Reply SammyWoo

    I agree with you, but a community forum is to help each other, so get confused about "People here expect the basic knowledge".
    By the way, I tried to PPPoE Passthour the Port directly to PFSense, tried as your hint, to put subnet to them relational connection on same mask.
    Result, no connection to anything… Guess I have to start again from Scratch.

    Thx anyway


  • Rebel Alliance Global Moderator

    "People here expect the basic knowledge"

    Because your typical user wouldn't be running pfsense normally.  So you would expect that someone running a firewall distro would have some basic understanding from a networking/firewall point of view.  Or why would thy have picked something like pfsense, and not just run your typical user off the shelf soho router.  Where they plug shit in and its all just PFM to them.

    We happy to help, but really not too many people here going to have the desire to create step by step following the bouncing ball how-to's for someone that doesn't get the basics..  You would also hope people wanting to take on learning would be able to do their own research on the basics, etc.



  • In order to be efficient about solving your problem.  We need pics of your settings and rules to show you where you went wrong.  We can't predict what you've done right or wrong without seeing for ourselves.  Setup a test router for the class and learn, or not.

    https://yourRouter/firewall_nat.php
    https://yourRouter/firewall_rules.php?if=wan
    https://yourRouter/firewall_rules.php?if=lan
    https://yourRouter/interfaces.php?if=wan
    https://yourRouter/interfaces.php?if=lan
    https://yourRouter/system_gateways.php
    https://yourRouter/services_unbound.php

    My website and other services work beautifully through PFsense.



  • @johnpoz: My intent wasn't to open a discussion about having or not a basic knowledge. If this marks, where assumed in a personal way, I certainly Apologyze. It wasn't my intent in any matter. I'm as well on other IT communities, actively sharing my experience and Knowledge with others, even there is low Basic Knowledge. I'm as you said John, more than happy to help. Hope this was clarifying my position about this remark, who, and I repeat, wasn't personal at all, and I apologyze again if it was assumed as such. And I thank all of you in advance for sharing your experience and Knowledge with all in this community.

    @corvey: Thank you for your reply as well. Indeed you can't predict and supporting a started project (at least in my experience), it's a very hard thing, particularly if you're not on place. Your Suggest to share Print Screen is a warmly welcome, so here (starting from Scratch, with minor changes as https port form 443 to 8443 for WebGUI) the ScreenShots in your request order, in hope this will clarify ma actual PFSesnse config situation.

    About your PFSense Config. with your Website and other Services, what was you experience untill now, concerning updates, maintaining, etc.?

    ![Screen Shot 2018-03-27 at 10.24.23.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.24.23.png)
    ![Screen Shot 2018-03-27 at 10.24.23.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.24.23.png_thumb)
    ![Screen Shot 2018-03-27 at 10.26.19.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.26.19.png)
    ![Screen Shot 2018-03-27 at 10.26.19.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.26.19.png_thumb)
    ![Screen Shot 2018-03-27 at 10.32.05.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.05.png)
    ![Screen Shot 2018-03-27 at 10.32.05.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.05.png_thumb)
    ![Screen Shot 2018-03-27 at 10.32.38.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.38.png)
    ![Screen Shot 2018-03-27 at 10.32.38.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.32.38.png_thumb)
    ![Screen Shot 2018-03-27 at 10.33.03.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.33.03.png)
    ![Screen Shot 2018-03-27 at 10.33.03.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.33.03.png_thumb)
    ![Screen Shot 2018-03-27 at 10.34.15.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.34.15.png)
    ![Screen Shot 2018-03-27 at 10.34.15.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.34.15.png_thumb)
    ![Screen Shot 2018-03-27 at 10.35.45.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.35.45.png)
    ![Screen Shot 2018-03-27 at 10.35.45.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 10.35.45.png_thumb)


  • Rebel Alliance Global Moderator

    So you have no port forward setup.. And no firewall rules on wan so how do you expect to get to this server behind pfsense?

    Your wan is rfc1918 - So if you want say internet to get to this server your going to have to port forward at the nat device in front of pfsense.

    So you have not even started anything and you want someone to hold your hand and draw you pictures?  And don't even know the basic concept of port forwarding?

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    Also 127.3 ???  So your using that to obfuscate your public?  Then why would you x.x the last part???

    NetRange:      127.0.0.0 - 127.255.255.255
    CIDR:          127.0.0.0/8
    NetName:        SPECIAL-IPV4-LOOPBACK-IANA-RESERVED

    Sorry but 127.anything is not some address you can use to get to some webserver other than it running locally on the same machine.



  • Yeah.. I told I'm starting up from Scratch.
    So here are the first configurations made on same request as corvey Asked for:

    https://yourRouter/firewall_nat.php
    https://yourRouter/firewall_rules.php?if=wan
    https://yourRouter/firewall_rules.php?if=lan
    https://yourRouter/interfaces.php?if=wan
    https://yourRouter/interfaces.php?if=lan
    https://yourRouter/system_gateways.php
    https://yourRouter/services_unbound.php

    hope we can fix this issue together, so I can learn something from and understanding where I made my mistakes.
    Thanks again guys…

    PS: Was remembering wrong the Static IP,, It beginns with 213.3..*

    ![Screen Shot 2018-03-27 at 15.35.58.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.35.58.png)
    ![Screen Shot 2018-03-27 at 15.35.58.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.35.58.png_thumb)
    ![Screen Shot 2018-03-27 at 15.36.28.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.36.28.png)
    ![Screen Shot 2018-03-27 at 15.36.28.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.36.28.png_thumb)
    ![Screen Shot 2018-03-27 at 15.39.54.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.39.54.png)
    ![Screen Shot 2018-03-27 at 15.39.54.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.39.54.png_thumb)
    ![Screen Shot 2018-03-27 at 15.41.10.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.10.png)
    ![Screen Shot 2018-03-27 at 15.41.10.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.10.png_thumb)
    ![Screen Shot 2018-03-27 at 15.41.35.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.35.png)
    ![Screen Shot 2018-03-27 at 15.41.35.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.41.35.png_thumb)
    ![Screen Shot 2018-03-27 at 15.42.12.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.12.png)
    ![Screen Shot 2018-03-27 at 15.42.12.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.12.png_thumb)
    ![Screen Shot 2018-03-27 at 15.42.52.png](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.52.png)
    ![Screen Shot 2018-03-27 at 15.42.52.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-27 at 15.42.52.png_thumb)



  • Your settings are pretty close. Just swap out the red for green on the lan.  If you want to use a FQDN for your internal URL fill out the host override setting or else just use the IP directly.  I cut and pasted your answers for future reference.

    After that, make sure your modem is set to DMZ for your Pfsense router.  Then, go to "canyouseeme.org" and see if you can hit your webserver's port externally to see if it's open.


  • Rebel Alliance Global Moderator

    Why are you forwarding dns.. Your running a Name Server?  But you only forwarded TCP?  Not going to work..  Nor is that need for some webserver to be available to the public.

    Rules on your lan??  At A Loss here?  Leave the rules on lan at default until you understand what your doing.. Wan net would NEVER be a source of traffic into the lan..

    If your public IP is 213.. And your pfsense wan is rfc1918, then you are behind something else doing the NAT.. So yeah step 1 is to make sure whatever traffic you want pfsense to forward actually gets to pfsense.  So as mentioned you can put pfsense wan IP into some dmz setting on the nat router in front of of pfsense you need to forward on that device the specific ports you need.

    And yes canyouseeme.org will be your friend in checking if these ports your forwarding are open to the internet.



  • John is right, you do not not need DNS rules and probably shouldn't.  I didn't touch on that subject because the main goal was to get your web server to work.  The RFC_1918 rule should have been left blocked on the WAN from default installation as shown here from my router.

    You can read all about that here: https://doc.pfsense.org/index.php/Prevent_RFC1918_traffic_from_leaving_pfSense_via_the_WAN_interface



  • Thanks @johnpoz
    Thanks @corvey

    So Guys, your hints and Feedback , helped me a lot in this configuration, and Finally I get connected. Just some Sites are still "Blocked" as browser notification sais "Connection Refused", But I guess this is more a smaller further point I have to check on my configuraitons.

    RFC 1918 and Bogon have been setuped back (as Default), Blocked on WAN. these minor things I couldn't figure out, mostrly because on other post suggestions hint was to disable. But here as well I guess  for other reasons.

    I can't for the moment access to canyouseeme.org, getting just a Blank site, at the moment I'm posting this.

    UPDATE:

    Can't Ping -> 8.8.8.8
    Can't access on some Site (ex. canyouseeme.org, maas.io)
    Can't access on my Site (Private Site with a DNS behind PFSense) -> ERROR MESSAGE: "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname."
    Pluggin other Machines on the Network, can't connect (no DHCO offered were recieved)

    Successfully can Connect to Ubuntu MAAS Region Controller
    Can visit some site (google, pfsense, wikipedia)

    I'll post in a new  Reply the actual situation.



  • Without more comments, I'm right if I'm saying, this should be a gateway issue with this Static IP?
    I get connected (and Successfully updated PFSense version), but can't get online other machines connected over LAN <-> WAN (inside - outside)

    ![Screen Shot 2018-03-29 at 17.09.23.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.09.23.png)
    ![Screen Shot 2018-03-29 at 17.09.23.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.09.23.png_thumb)
    ![Screen Shot 2018-03-29 at 17.12.52.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.12.52.png)
    ![Screen Shot 2018-03-29 at 17.12.52.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.12.52.png_thumb)
    ![Screen Shot 2018-03-29 at 17.13.31.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.13.31.png)
    ![Screen Shot 2018-03-29 at 17.13.31.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.13.31.png_thumb)
    ![Screen Shot 2018-03-29 at 17.14.21.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.14.21.png)
    ![Screen Shot 2018-03-29 at 17.14.21.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.14.21.png_thumb)
    ![Screen Shot 2018-03-29 at 17.15.39.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.15.39.png)
    ![Screen Shot 2018-03-29 at 17.15.39.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.15.39.png_thumb)
    ![Screen Shot 2018-03-29 at 17.16.44.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.16.44.png)
    ![Screen Shot 2018-03-29 at 17.16.44.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.16.44.png_thumb)
    ![Screen Shot 2018-03-29 at 17.18.16.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.18.16.png)
    ![Screen Shot 2018-03-29 at 17.18.16.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.18.16.png_thumb)
    ![Screen Shot 2018-03-29 at 17.20.03.png](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.20.03.png)
    ![Screen Shot 2018-03-29 at 17.20.03.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-29 at 17.20.03.png_thumb)