Internal Web Server



  • I did a clean install with the 0.94 liveCD, upgraded to 0.94.2, then started configuring from scratch instead of using my old config.

    I have a web server on my LAN, I made a NAT rule that looks like this.

    • <rule><external-address>any</external-address>
        <protocol>TCP</protocol>
        <external-port>80</external-port>
        <target>server</target>
        <local-port>80</local-port>
        <interface>wan</interface>
        <descr>Web Server</descr></rule>

    As soon as I apply that, I can't view any external websites and I get locked out of the webGUI. Actually it seems like the only thing I can do is ping the LAN interface on pfSense, and view the webpages on my server.

    I went into the shell via the console and browsed around until I found the config file, removed the above rule and the accompanying firewall rule, rebooted and I was back in business.

    I guess this has something to do with NAT reflection?  I didn't disable it before hand.



  • nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good.  I just remembered that I had this problem before.



  • @thinair:

    nevermind, i disabled NAT reflection and put my aforementioned rule back in and everything is good.  I just remembered that I had this problem before.

    Please share with us what rule is causing this.  Reflection should not be causing these issues.



  • @sullrich:

    Please share with us what rule is causing this.  Reflection should not be causing these issues.

    The rule is in the first post



  • @thinair:

    @sullrich:

    Please share with us what rule is causing this.  Reflection should not be causing these issues.

    The rule is in the first post

    This is not happening to me.  I have many web servers (5+) redirected at my work and we do not see this behavior.  You're on 0.94+ ?



  • Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

    I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again).  So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.



  • @thinair:

    Ok, I'm currently on version 0.94.4, which was upgraded from 0.94.2, and that was upgraded from a 0.94.0 clean install.

    I went and enabled NAT reflection and within 5 seconds anything using port 80 was dead, including the webGUI (I should really set the webGUI to SSL again).  So again I went sifting though the config.xml file and with an older backup copy as a reference I figured out where to add the <disablenatreflection>yes</disablenatreflection> statement, rebooted and I'm all good again.

    Okay, please enable nat reflection.  Wait until port 80 is no longer working then send me the contents of /tmp/rules.debug to sullrich@gmail.com.    I will take a look at why this happening.

    And for the record, you are dhcp, ppoe, pptp on wan?



  • PPPoE, and email sent



  • @thinair:

    PPPoE, and email sent

    Thanks, I'll check it out this afternoon.



  • nat reflection should only take effect for packets that are destined to the wan interface right ?

    additionally,  if nat reflection was forwarding those packets to my web server, i would have gotten the page that is hosted on it…

    let me know if there is anything i can do as well to help with this.


Locked