Redirection Traffic



  • I have been using pfsense for near on two years and I have then issue that feels like a newbie thing.
    How to redirect traffic that user tape in navigator a public IP like 1.2.3.4 to redirect them to a local IP address
    Thank


  • Rebel Alliance Global Moderator

    What exactly are you trying to accomplish - you say navigator, so users are putting in http://1.2.3.4 in their browser (firefox/chrome/etc) address bar and you want them to get sent to http://192.168.1.100 for example?



  • @johnpoz Yes Sir , this is my need


  • Rebel Alliance Global Moderator

    Are you using a proxy and want to send them to a block page? If browser sends traffic to 1.2.3.4 and gets an answer from 192.168.1.100 its not going to accept that answer.



  • @johnpoz i don't have a proxy in my network. but , why browser not accept the answer when he get an answer from local ip ?



  • I can't do anythink for resolve this problem ?


  • Rebel Alliance Global Moderator

    How did you try and do it? Your talking just http right, not https?

    I just did a port forward on lan with dest 8.8.8.8 http, goes to 192.168.3.10 this is my pihole.. I then hit http://8.8.8.8 and get this

    0_1535634768834_portforward.png

    But then again my client is on 192.168.9/24 not the same segment that server I am redirecting it too is on. In such a case pfsense does a bit of magic.. But when the source IP is on the same segment as your server your trying to redirect too - you could have problems.



  • @johnpoz https traffic ☹ ☹ ☹ ☹ ☹



  • @big_bill said in Redirection Traffic:

    @johnpoz https traffic ☹ ☹ ☹ ☹ ☹

    You could have told this right away. Are you 'forgetting' more info, like, as asked already : devices are on the same LAN segment, or not ?
    Please detail your questions. The quality of the replies depend on it.

    Btw : https traffic can't be redirected. At least, not on a network like "Internet".
    Example : if a user typed

    https://1.2.3.4
    

    and you managed to redirect this request to a device on your LAN (or where ever else on the net) and this connection give back a certificate (it should, we are talking https here), it must contain "1.2.3.4" as a "alternative subject name".
    And that, simply said, just can't be done.

    edit : another example :
    A user types :

    https://4.5.6.7
    

    and yu direct him to https:/:www.google.com then the browser well yell - because the browser inspects the certifcate, these "alternative subject name" buried into the certicate.
    They are visible :
    0_1535637251162_7a63e113-c3b8-4168-8cbf-4e3e884c4885-image.png

    and as you can see, this is not "4.5.6.7".

    The browser will show "Game over".

    Btw : a question : since when user type really "real" IP address ?



  • @gertjan

    The devices are not on the same LAN : one have a public IP (like 8.8.8.8) and auther (server) have a local IP (the same range with my computer)

    When user tape or click on link with the public IP address, he should be redirected to the local IP.



  • Please HELP !!!



  • The post above from @johnpoz does exactly what you were asking for.



  • @gertjan dosen't work

    Firewall -> NAT -> Port Forward
    

    Interface : LAN
    Protocol : TCP/UDP
    Source : *
    Destination : - type = Single host , Adress/Mask = ip public
    Destination port range : http
    Redirect target IP : 192.168.1.X
    Redirect target port : https
    NAT reflection : Use system default



  • This :
    @big_bill said in Redirection Traffic:

    Destination port range : http
    Redirect target IP : 192.168.1.X
    Redirect target port : https

    will never work.

    redirecting http to https is a fail ... and needles to ask : this will never work.

    So I tried what @johnpoz said :
    0_1535641897836_2be09cac-e85e-4a2c-a7eb-f0e4077d7bb6-image.png

    192.168.2.2 (port 80 - no SSL) is a GUI access of one of my AP.

    It works !! I typed :

    0_1535641968098_555c0994-0ada-4223-b2e8-1ba0815169d2-image.png

    and the AP GUI page opened 👏

    I'm visiting from my LAN, a device with IP 192.168.1.100
    192.168.2, the AP, is on my OPT1 interface

    Again : forget about redirecting https. Learn about the word MITM (Google it up - have a look at Wiki pages or search on this forum, and you'll see).


  • Rebel Alliance Global Moderator

    Its not going to work for https.. And if you redirect to the same lan, even if http I don't think it will work because the client will see answer from wrong IP/mac.. When you forward it through router you have go between and to the client it looks like came from 8.8.8.8 in my scenario..

    But when are on same network you end up with this... I changed the port forward to point to 192.168.9.8

    0_1535641918006_sentto8888.png

    As you see .100 sent to 8.8.8.8 but it got answer from 192.168.9.8 - which sorry its not going to accept..

    So for something like this to work with http even - again https is not going to work.. Unless the web server your sending to has the public IP your sending too i the SAN AND -- the client trusts the CA that signed that cert.

    You would have to source nat the traffic to be looking like it came from pfsense IP on this network, and then pfsense would have to send it back to your client looking like it came from 8.8.8.8..

    Why exactly are you looking to do this? Maybe your just going down the wrong rabbit hole for whatever issue your trying to fix?



  • @gertjan i tried with http

    the browser saied : ERR_CONNECTION_TIMED_OUT



  • @johnpoz

    My server sends URLs containing URLs using its local IP address, but our external clients do not have access with this IP.

    i would perform the redirection:

    outside (WAN), redirect to our public IP
    in local (LAN), redirect to our local IP

    i have configure the server to send the notification with the public ip (for the external client)

    but in the lan side ; i can't access to this IP



  • If you have a local server with private IP, clients on Internet must connect to a public IP, and you need to NAT that to your private IP server.
    And clients in the local lan, must connect to private IP directly.

    To use same hostname in both cases like "host.domain.tld" you must setup your DNS, and you can override that entry to solve to private IP for LAN users, but to public IP for external users.


  • Rebel Alliance Global Moderator

    So all you need it port forward for this to work if clients are hitting your public IP on your wan to your lan.

    I took this as you were wanting local users to do this.. If this is outside users this is simple port forward. If you want your users to hit your OUTSIDE ip and get reflected back in that is nat reflection.

    But the better solution is to use dns, and have your users resolve www.whatever.tld that points to your public IP and have that resolve locally to your server on your private IP address..

    What sort of notification are you sending?? you should never hard code IP.. Use FQDN..



  • @elkato How do this with pfsense