• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Forwarding port 80 with redirect to 81 opens only 81 on WAN

Scheduled Pinned Locked Moved NAT
6 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    truetype
    last edited by admin May 23, 2018, 4:51 PM May 19, 2018, 1:35 PM

    I'm running let'sencrypt on my unraid server which listens on port 81. But from their servers the validation only uses port 80, so I need to have port 80 open when the certifications are due to renewal.

    My question:
    Is it not strange that when I choose to open port 80 with internal redirect to port 81 on my unraid server (192.168.1.8 ) it just opens 81 externally and not port 80 in rules?

    Right now I have a rule which opens port 80 that I enable everytime the certs are due to renewal. Please see attached screenshots.

    Any suggestions for a more neat solution?

    Sincerely, TrueType

    EDIT 2018-05-21 I guess this is a bug? It should open port 80 with the settings from my screenshots?

    letsencrypt docker settings.PNG

    ![letsencrypt docker settings.PNG_thumb](/public/imported_attachments/1/letsencrypt docker settings.PNG_thumb)
    ![NAT rules.PNG](/public/imported_attachments/1/NAT rules.PNG)
    ![NAT rules.PNG_thumb](/public/imported_attachments/1/NAT rules.PNG_thumb)
    ![firewall rules.PNG](/public/imported_attachments/1/firewall rules.PNG)
    ![firewall rules.PNG_thumb](/public/imported_attachments/1/firewall rules.PNG_thumb)

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by May 21, 2018, 2:58 PM

      Firewall rules are processed after NAT in the inbound direction. So by the time a firewall rule is evaluated, the destination port is 81, so the rule needs to pass to the private IP destination on port 81, not 80.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • T
        truetype
        last edited by May 21, 2018, 3:17 PM

        @jimp:

        Firewall rules are processed after NAT in the inbound direction. So by the time a firewall rule is evaluated, the destination port is 81, so the rule needs to pass to the private IP destination on port 81, not 80.

        Thanks for reply

        Sorry I do not quite understand, and I noticed I updated the thread just seconds before your answer. :P

        So I guess this is not a bug, but instead how it's meant to work. And therefore I have to use the rule I named "Apply when renewing certs in letsencrypt" all the time and not only when renewing certs in order to keep port 80 open? And this will lead to that I will have both port 80 and port 81 open to WAN? I only want port 80 open to WAN but 81 locally if you see what I mean.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by May 21, 2018, 3:24 PM

          The "apply when renewing…" rule can never match anything, based on your NAT rules. It can't open port 80 on the WAN address because the destination is a private address, not WAN. There is also no NAT rule with a destination NAT port of 80, so that won't match either. So it will never do anything with the rules you show there now.

          Your NAT rule maps a destination of  <wan ip="" address="">:80 to 192.168.1.8:81

          The firewall rule you have enabled passes to a destination 192.168.1.8:81, which will match because that's what the destination is on the packet after NAT applies.

          So right now the rules you show are forwarding and passing port 80 and 443 in from your WAN IP address to the local server on 192.168.1.8 on ports 81 and 443.</wan>

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            truetype
            last edited by May 22, 2018, 6:45 PM May 22, 2018, 6:24 PM

            @jimp:

            The "apply when renewing…" rule can never match anything, based on your NAT rules. It can't open port 80 on the WAN address because the destination is a private address, not WAN. There is also no NAT rule with a destination NAT port of 80, so that won't match either. So it will never do anything with the rules you show there now.

            Your NAT rule maps a destination of  <wan ip="" address="">:80 to 192.168.1.8:81

            The firewall rule you have enabled passes to a destination 192.168.1.8:81, which will match because that's what the destination is on the packet after NAT applies.

            So right now the rules you show are forwarding and passing port 80 and 443 in from your WAN IP address to the local server on 192.168.1.8 on ports 81 and 443.</wan>

            Thanks for explaining this to me.

            Though I think it's strange that Let'sencrypt wasn't able to renew my certifications when I only had the NAT rule, but when I created this "Apply when renewing…" rule and enabled it, the certifications could be renewed by Let'sencrypt servers. But I suppose it has todo with the certification renewal process then.

            I have another problem that I believe has todo with this anyhow.
            In nginx on my server I have set it up to redirect all incoming requests on port 80 (81) to 443 instead. (If someone tries to enter the site via http:// it should redirect to secure https:// instead)
            And I can access my website by using https:// but with just http:// it does not redirect me when on LAN, but if I use my phone or at the office it works. My initial thoughts was that it has todo with this https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks but after thinking abit I can reach my sites on LAN when using https:// but not http://. Any ideas what this could be? I am using DNS resolver.

            S 1 Reply Last reply Jun 4, 2018, 6:33 PM Reply Quote 0
            • S
              SteveITS Galactic Empire @truetype
              last edited by Jun 4, 2018, 6:33 PM

              @truetype
              I'm wandering on by here but if you simply redirect port publicip:80 to privateip:443 using NAT that doesn't do a redirect, that would cause an error since the web browser and web server are using two different forms of communication. Let the connection to 80 work and have the web server redirect to https:// so the browser knows to talk https.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received