Internal Web Server

thinair · Nov 20, 2005, 1:32 AM

I did a clean install with the 0.94 liveCD, upgraded to 0.94.2, then started configuring from scratch instead of using my old config.

I have a web server on my LAN, I made a NAT rule that looks like this.

<rule><external-address>any</external-address>
<protocol>TCP</protocol>
<external-port>80</external-port>
<target>server</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>Web Server</descr></rule>

As soon as I apply that, I can't view any external websites and I get locked out of the webGUI. Actually it seems like the only thing I can do is ping the LAN interface on pfSense, and view the webpages on my server.

I went into the shell via the console and browsed around until I found the config file, removed the above rule and the accompanying firewall rule, rebooted and I was back in business.

I guess this has something to do with NAT reflection? I didn't disable it before hand.

thinair · Nov 20, 2005, 1:38 AM

nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good. I just remembered that I had this problem before.

sullrich · Nov 20, 2005, 1:52 AM

@thinair:

nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good. I just remembered that I had this problem before.

Please share with us what rule is causing this. Reflection should not be causing these issues.

thinair · Nov 20, 2005, 2:54 AM

@sullrich:

Please share with us what rule is causing this. Reflection should not be causing these issues.

The rule is in the first post

sullrich · Nov 20, 2005, 2:55 AM

@thinair:

@sullrich:

Please share with us what rule is causing this. Reflection should not be causing these issues.

The rule is in the first post

This is not happening to me. I have many web servers (5+) redirected at my work and we do not see this behavior. You're on 0.94+ ?

thinair · Nov 20, 2005, 6:14 AM

Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again). So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.

sullrich · Nov 20, 2005, 6:18 AM

@thinair:

Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again). So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.

Okay, please enable nat reflection. Wait until port 80 is no longer working then send me the contents of /tmp/rules.debug to sullrich@gmail.com. I will take a look at why this happening.

And for the record, you are dhcp, ppoe, pptp on wan?

thinair · Nov 20, 2005, 6:43 AM

PPPoE, and email sent

sullrich · Nov 20, 2005, 6:45 AM

@thinair:

PPPoE, and email sent

Thanks, I'll check it out this afternoon.

bruor · Dec 7, 2005, 10:19 PM

nat reflection should only take effect for packets that are destined to the wan interface right ?

additionally, if nat reflection was forwarding those packets to my web server, i would have gotten the page that is hosted on it…

let me know if there is anything i can do as well to help with this.