Web server behind virtual IP on WAN

Grogi

Split from: http://forum.pfsense.org/index.php/topic,13494.0/topicseen.html

Hi,
I find this similar to my situation which troubles me for some time.
I need:

WAN–-->Pfsense----->web server
I am using pfsense as main router for LAN subnet and web server is part of it.
I configured VIP for WAN and port fwd of port 80 (I am using 443 for webgui) to web server on lan.
Also, rules:
On wan:
Proto Source Port Destination Port Gateway Schedule Description
TCP * * * 80 (HTTP) * NAT

on LAN:
Proto Source Port Destination Port Gateway Schedule Description

LAN net * * * * Default LAN -> any
TCP X.X.X.117 * 10.10.25.11 80 (HTTP) *

117 is VIP on WAN.

Help please.

GruensFroeschli

Reread the thread this here is split from.
also:
http://forum.pfsense.org/index.php/topic,7001.0.html
and the wiki: http://doc.pfsense.org/index.php/Main_Page

You're rules are all wrong.

WAN: dont allow anyting inbound on port 80.
Allow as destination only your server.

LAN: Your second rule doesnt make any sense. Rules are applies on the interface on which traffic is inbound. –> The rule has to go to the WAN tab.
set as source "any" and not the VIP.

NAT: you didnt post any NAT rules, so i suppose you didnt create them.
Create a rule forwarding port 80 with as "external IP" your VIP.

Grogi

Obviously it won't go easy as I thought….

I have tried tons of solutions across the web so excuse me if I mess something and sure I was.

See attachments and we can discuss futher.

Thanks

port-fwd.JPG_thumb
![lan rules.JPG](/public/imported_attachments/1/lan rules.JPG)
![lan rules.JPG_thumb](/public/imported_attachments/1/lan rules.JPG_thumb)
![wan rules.JPG](/public/imported_attachments/1/wan rules.JPG)
![wan rules.JPG_thumb](/public/imported_attachments/1/wan rules.JPG_thumb)

Grogi

Just to clarify…
-.-.-.117 is VIP (proxy arp of WAN)
-.-.-.116 is WAN address
10.10.0.0/19 is LAN
Also, there is opt1 but it is irelevant for this.

GruensFroeschli

The screenshots look good.

What does not work?

Grogi

I can not access web page over http://-.-.-.117 which is located on 10.10.25.11

States:
tcp 10.10.25.11:80 <- -.-.-.117:80 <- -.-..234:2990 CLOSED:SYN_SENT
tcp -.-.-.-.234:2990 -> 10.10.25.11:80 SYN_SENT:CLOSED

GruensFroeschli

Are you trying to access from inside your own network or from the outside?
From the inside will not work.

The solution would be to enable NAT reflection, however i'm not sure if NAT reflection is compatible with PARP VIPs.

Grogi

I can access localy http://10.10.25.11 or over public 117 in LAN (I enabled NAT reflection and I can open page inside LAN but outside…)

Grogi

The -.-.-.-.234:2990 is machine I controll remotely and try outside network.

Grogi

It seems like everything is ko but it doesn't work. I have tried to give the web server public IP and it is reachable from outside. It is high risk for me and I can't figure out how to do this simple port fwd.

Do I have to make any changes on server ie to put gateway which is VIP, i don;t know or to setup some outgoing NAT.

Thanks in advance.

Grogi

THe firewall log is ok, the traffic is passed to web server.

Grogi

It would be helpful if someone can provide me screenshots of his configuration for any service which is behind VIP (or WAN IP).
I don't know where is mistake, is it NAT or firewall or pfsense generaly.

Thanks

Grogi

Usualy it is something stupid. The firewall on local web server blocked traffic.

Everything works like a charm.
I fwded SSH and HTTP without any problem.
Thanks.