Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense used only as router allow only https

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lucas Rey
      last edited by Lucas Rey

      Hello community, I installed PFSense for the first time, so, there is a newbie here :)
      My goal is use it as router (NAT, DHCP, etc), so basic function. Everything works perfect, PFSense can reach internet via WAN, LAN interface serve the clients with DHCP, and the clients can reach internet and obliviously PFSense GUI.

      But I have one issue who is drive me crazy. The clients can't read HTTP page via browser, only HTTPS, e.g. https://www.google.com works perfect, instead if I try a page without HTTPS like http://www.subnet-calculator.com simply it refuses the connection.

      Both PFSense and clients can ping DNS (8.8.8.8), and they can resolve the HTTP address:
      alt text

      Could someone help to understand what happen?
      Thank you,
      Lucas

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        did you mess with the default lan rules which are any any.. Pfsense doesn't have anything to do with it being http or https - just the ports the traffic is on being allowed or not allowed.

        Are you using proxy package on pfsense, or IPS?

        The only thing that would explain your issue that I can think of without proxy or ips being involved would be that you edited the rules, or added rule above or on the floating tab that only allows 443 (https) and not http (80)

        edit: or maybe your using browser addon like https everywhere that is causing your issue.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • L
          Lucas Rey
          last edited by

          DAMN! I found the root cause! It wasn't PFSense, but VMWare ESXI firewall where PFSense is hosted. Sorry for wasting forum space.

          Now I'm fighting with ESXi firewall, who blocks everything except port 443 (outgoing connections). Disabling it doesn't work, since I cannot navigate at all... But this is not VMWare forum, so I'll search the solution elsewhere, thank you for reply anyway.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            When I was running esxi, I had just turned off their firewall.. I had zero use for having to manage their nonsense when it was behind my firewall on its own segment, etc.

            But the firewall has nothing to do with client vms.. only the vmkern connection - ie esxi itself.. So were you running your stuff on the vmkern vswitch port group?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • L
              Lucas Rey
              last edited by

              Ok, let me explain better. I have a dedicated server (with ESXi 6.5) with only 1 public IP and only 1 ethernet adapter. So, as described here: https://trackit.io/installation-of-a-pfsense-server-on-esxi-with-a-dedicated-ip/ I have to use the VM Network IP and its MAC as PFSense WAN, then I created a vSwitch for LAN (clients).

              Clients can connect to internet without problem but only using port 443 (HTTPs), the other ports are blocked. That's because, I guess, requests pass through ESXi firewall.

              Disabling ESXi firewall with

              esxcli network firewall set --enabled false
              

              or setup default rules as PASS:

              esxcli network firewall set --default-action=1
              

              will break clients connection at all (even for https).
              I'm really driving crazy! :(

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So your running your vms using the vmkern connection... Yeah that is borked setup.. Your vmkern should not be available to the public IP.. If it yes damn straight should be behind a firewall and locked down to who can talk to it, etc.

                If its located in some DC, you should manage the esxi host via its vmkern on a different IP.. You vpn in to the DC, and hit the vmkern rfc1918 address, to manage and configure your host..

                From that doc - it has you creating another port group that is on the same vswitch as the vmkern.. Did you do that step... Once your off the vmkern port group your not going to be behind the vmkern firewall.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • L
                  Lucas Rey
                  last edited by

                  Sure, I created a port group, and I double (and double) checked the configurations.
                  Honestly I'm stuck now and I don't know how to go forward. I think using VMKernel is the only option I have.

                  I tested the same configuration at "home" and I got the same behaviour, but if I assign another IP (obliviously at home I have no IP limitation), everything work perfect. Am I still using VMKernel? I think yes because I still have one ethernet port.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Here is the thing you have a physical nic. It is tied to a vswitch. The vswitch can have multiple port groups on it. There is the port group that is the vmkern and then there is another port group. Is like a vlan switch and putting different ports in different vlans. If your on the vmkern port group then you would be behind the esxi firewall. Your IP needs to be in the other port group.

                    I would have to fire up esxi, I moved away from it about a year ago or so.. But have not never tried doing such a setup where the server is remote in some DC with only 1 nic and managed on vmkern via public IP.. Off the top of my head that sort of setup is just borked!

                    You for sure would get better help on a vmware forum - where you have users running esxi at some dc..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • L
                      Lucas Rey
                      last edited by

                      First of all, thank you for your time. I tried on VMWare Forum without success, maybe people are in holidays :)

                      If I can, I would like to recap what you wrote that for sure make it sense.
                      What I understand is that now PFSense WAN interface is under VKernel (default Port Group: VM Network) and under its firewall. So I created a new Port Group named WAN and conenct it to Physical adapters, then move the WAN PFSense interface on it:

                      alt text

                      Topology shown now that WAN Port Switch is connected to Physical adapter (the only one I have)

                      alt text

                      On vSwitches side I left untouched i.e. vSwitch0 (default) and vSwitch LAN.

                      alt text
                      alt text

                      But still doesn't work, maybe I still miss some config, or maybe I have to add/modify the VMKernel NICs section... I'm lost....

                      alt text

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.