PFSense used only as router allow only https



  • Hello community, I installed PFSense for the first time, so, there is a newbie here :)
    My goal is use it as router (NAT, DHCP, etc), so basic function. Everything works perfect, PFSense can reach internet via WAN, LAN interface serve the clients with DHCP, and the clients can reach internet and obliviously PFSense GUI.

    But I have one issue who is drive me crazy. The clients can't read HTTP page via browser, only HTTPS, e.g. https://www.google.com works perfect, instead if I try a page without HTTPS like http://www.subnet-calculator.com simply it refuses the connection.

    Both PFSense and clients can ping DNS (8.8.8.8), and they can resolve the HTTP address:
    alt text

    Could someone help to understand what happen?
    Thank you,
    Lucas


  • LAYER 8 Global Moderator

    did you mess with the default lan rules which are any any.. Pfsense doesn't have anything to do with it being http or https - just the ports the traffic is on being allowed or not allowed.

    Are you using proxy package on pfsense, or IPS?

    The only thing that would explain your issue that I can think of without proxy or ips being involved would be that you edited the rules, or added rule above or on the floating tab that only allows 443 (https) and not http (80)

    edit: or maybe your using browser addon like https everywhere that is causing your issue.



  • DAMN! I found the root cause! It wasn't PFSense, but VMWare ESXI firewall where PFSense is hosted. Sorry for wasting forum space.

    Now I'm fighting with ESXi firewall, who blocks everything except port 443 (outgoing connections). Disabling it doesn't work, since I cannot navigate at all... But this is not VMWare forum, so I'll search the solution elsewhere, thank you for reply anyway.


  • LAYER 8 Global Moderator

    When I was running esxi, I had just turned off their firewall.. I had zero use for having to manage their nonsense when it was behind my firewall on its own segment, etc.

    But the firewall has nothing to do with client vms.. only the vmkern connection - ie esxi itself.. So were you running your stuff on the vmkern vswitch port group?



  • Ok, let me explain better. I have a dedicated server (with ESXi 6.5) with only 1 public IP and only 1 ethernet adapter. So, as described here: https://trackit.io/installation-of-a-pfsense-server-on-esxi-with-a-dedicated-ip/ I have to use the VM Network IP and its MAC as PFSense WAN, then I created a vSwitch for LAN (clients).

    Clients can connect to internet without problem but only using port 443 (HTTPs), the other ports are blocked. That's because, I guess, requests pass through ESXi firewall.

    Disabling ESXi firewall with

    esxcli network firewall set --enabled false
    

    or setup default rules as PASS:

    esxcli network firewall set --default-action=1
    

    will break clients connection at all (even for https).
    I'm really driving crazy! :(


  • LAYER 8 Global Moderator

    So your running your vms using the vmkern connection... Yeah that is borked setup.. Your vmkern should not be available to the public IP.. If it yes damn straight should be behind a firewall and locked down to who can talk to it, etc.

    If its located in some DC, you should manage the esxi host via its vmkern on a different IP.. You vpn in to the DC, and hit the vmkern rfc1918 address, to manage and configure your host..

    From that doc - it has you creating another port group that is on the same vswitch as the vmkern.. Did you do that step... Once your off the vmkern port group your not going to be behind the vmkern firewall.



  • Sure, I created a port group, and I double (and double) checked the configurations.
    Honestly I'm stuck now and I don't know how to go forward. I think using VMKernel is the only option I have.

    I tested the same configuration at "home" and I got the same behaviour, but if I assign another IP (obliviously at home I have no IP limitation), everything work perfect. Am I still using VMKernel? I think yes because I still have one ethernet port.


  • LAYER 8 Global Moderator

    Here is the thing you have a physical nic. It is tied to a vswitch. The vswitch can have multiple port groups on it. There is the port group that is the vmkern and then there is another port group. Is like a vlan switch and putting different ports in different vlans. If your on the vmkern port group then you would be behind the esxi firewall. Your IP needs to be in the other port group.

    I would have to fire up esxi, I moved away from it about a year ago or so.. But have not never tried doing such a setup where the server is remote in some DC with only 1 nic and managed on vmkern via public IP.. Off the top of my head that sort of setup is just borked!

    You for sure would get better help on a vmware forum - where you have users running esxi at some dc..



  • First of all, thank you for your time. I tried on VMWare Forum without success, maybe people are in holidays :)

    If I can, I would like to recap what you wrote that for sure make it sense.
    What I understand is that now PFSense WAN interface is under VKernel (default Port Group: VM Network) and under its firewall. So I created a new Port Group named WAN and conenct it to Physical adapters, then move the WAN PFSense interface on it:

    alt text

    Topology shown now that WAN Port Switch is connected to Physical adapter (the only one I have)

    alt text

    On vSwitches side I left untouched i.e. vSwitch0 (default) and vSwitch LAN.

    alt text
    alt text

    But still doesn't work, maybe I still miss some config, or maybe I have to add/modify the VMKernel NICs section... I'm lost....

    alt text


Log in to reply