[Solved] Forwarding port 80 with redirect to 81 opens only 81 on WAN

truetype · May 23, 2018, 4:51 PM

I'm running let'sencrypt on my unraid server which listens on port 81. But from their servers the validation only uses port 80, so I need to have port 80 open when the certifications are due to renewal.

My question:
Is it not strange that when I choose to open port 80 with internal redirect to port 81 on my unraid server (192.168.1.8 ) it just opens 81 externally and not port 80 in rules?

Right now I have a rule which opens port 80 that I enable everytime the certs are due to renewal. Please see attached screenshots.

Any suggestions for a more neat solution?

Sincerely, TrueType

EDIT 2018-05-21 I guess this is a bug? It should open port 80 with the settings from my screenshots?

![letsencrypt docker settings.PNG_thumb](/public/imported_attachments/1/letsencrypt docker settings.PNG_thumb)
![NAT rules.PNG](/public/imported_attachments/1/NAT rules.PNG)
![NAT rules.PNG_thumb](/public/imported_attachments/1/NAT rules.PNG_thumb)
![firewall rules.PNG](/public/imported_attachments/1/firewall rules.PNG)
![firewall rules.PNG_thumb](/public/imported_attachments/1/firewall rules.PNG_thumb)

jimp · May 21, 2018, 2:58 PM

Firewall rules are processed after NAT in the inbound direction. So by the time a firewall rule is evaluated, the destination port is 81, so the rule needs to pass to the private IP destination on port 81, not 80.

truetype · May 21, 2018, 3:17 PM

@jimp:

Firewall rules are processed after NAT in the inbound direction. So by the time a firewall rule is evaluated, the destination port is 81, so the rule needs to pass to the private IP destination on port 81, not 80.

Thanks for reply

Sorry I do not quite understand, and I noticed I updated the thread just seconds before your answer. :P

So I guess this is not a bug, but instead how it's meant to work. And therefore I have to use the rule I named "Apply when renewing certs in letsencrypt" all the time and not only when renewing certs in order to keep port 80 open? And this will lead to that I will have both port 80 and port 81 open to WAN? I only want port 80 open to WAN but 81 locally if you see what I mean.

jimp · May 21, 2018, 3:24 PM

The "apply when renewing…" rule can never match anything, based on your NAT rules. It can't open port 80 on the WAN address because the destination is a private address, not WAN. There is also no NAT rule with a destination NAT port of 80, so that won't match either. So it will never do anything with the rules you show there now.

Your NAT rule maps a destination of <wan ip="" address="">:80 to 192.168.1.8:81

The firewall rule you have enabled passes to a destination 192.168.1.8:81, which will match because that's what the destination is on the packet after NAT applies.

So right now the rules you show are forwarding and passing port 80 and 443 in from your WAN IP address to the local server on 192.168.1.8 on ports 81 and 443.</wan>

truetype · Jun 4, 2018, 6:33 PM

@jimp:

The "apply when renewing…" rule can never match anything, based on your NAT rules. It can't open port 80 on the WAN address because the destination is a private address, not WAN. There is also no NAT rule with a destination NAT port of 80, so that won't match either. So it will never do anything with the rules you show there now.

Your NAT rule maps a destination of <wan ip="" address="">:80 to 192.168.1.8:81

The firewall rule you have enabled passes to a destination 192.168.1.8:81, which will match because that's what the destination is on the packet after NAT applies.

So right now the rules you show are forwarding and passing port 80 and 443 in from your WAN IP address to the local server on 192.168.1.8 on ports 81 and 443.</wan>

Thanks for explaining this to me.

Though I think it's strange that Let'sencrypt wasn't able to renew my certifications when I only had the NAT rule, but when I created this "Apply when renewing…" rule and enabled it, the certifications could be renewed by Let'sencrypt servers. But I suppose it has todo with the certification renewal process then.

I have another problem that I believe has todo with this anyhow.
In nginx on my server I have set it up to redirect all incoming requests on port 80 (81) to 443 instead. (If someone tries to enter the site via http:// it should redirect to secure https:// instead)
And I can access my website by using https:// but with just http:// it does not redirect me when on LAN, but if I use my phone or at the office it works. My initial thoughts was that it has todo with this https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks but after thinking abit I can reach my sites on LAN when using https:// but not http://. Any ideas what this could be? I am using DNS resolver.

SteveITS · Jun 4, 2018, 6:33 PM

@truetype
I'm wandering on by here but if you simply redirect port publicip:80 to privateip:443 using NAT that doesn't do a redirect, that would cause an error since the web browser and web server are using two different forms of communication. Let the connection to 80 work and have the web server redirect to https:// so the browser knows to talk https.