Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding port 80 to port 8080

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Havok
      last edited by

      Hello all

      Before I reinstalled and started using pfsense, I had port forwarding on IIS 8 port 80 to port 8080

      So this is pretty much what I have:
      From the WAN to IP address 192.168.50.10 to IIS 8 port 80
      Through IIS 8 then it forwards to port 8080 on 192.168.50.20 running ISS port 8080. Now before pfsense it was a snap and working well. I have tried almost every setting to try and get this to work.

      Oh forgot to state 192.168.50. 20 is a VM on VMware and in VMware I have port forwording set to from port 8080 to client 8080.

      Any help may cut my hours shorter on trying to figure this out.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        pfsense can nat from wan to 192.168.50.10 port 80 but it's IIS 8 responsibility to eventually forward to 192.168.50.20
        wan -> pfsense -> 192.168.50.10:80 -> 192.168.50.20:8080

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Can you not just NAT to 192.168.50.20 port 8080 directly though? Why are you going through 192.168.50.10?

          Steve

          1 Reply Last reply Reply Quote 0
          • H
            Havok
            last edited by Havok

            Hello

            Yes I sure can but for someone to use the domain name without :8080 is what I'm looking for, If I put it on a plain network without pfsense it works like it is suppose to windows 2016 IIS 10 IP 192.168.50.10 to Windows 7 IIS 7.5. IP 192.168.50.20 So what ever I'm missing in pfsense is the trouble.

            As for going trough 192.168.50.10 is I am running 10 other PHP & ASPX sites on it.

            Thanks

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I think what you're saying is that the first IIS instance redirects to the second one based on the host-header/url in the request?

              If you do that the replies from second server back to the client will go directly and will get blocked by the firewall becaise they don't match the firewall states on the incoming traffic.
              Do you see blocked TCP traffic from 192.168.50. 20 in the firewall log?

              https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

              You could apply that workaround or you could use a reverse proxy on the firewall to forward traffic to the correct server based on the host-header. That would be the HAProxy or reverse Squid packages.

              Steve

              1 Reply Last reply Reply Quote 0
              • H
                Havok
                last edited by

                Hello Steve

                I tried but I guess I'm have to have someone teamview into my server. General config has been pretty easy right off the bat, but now your talking PRO talk and it may be or is over my head so far.

                I'll keep at it in the hopes I get lucky but.

                Thank you

                Greg

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  I mean i your previous setup you could goto a url that resolved to your IP and hit the first webserver. But you could also go to a different url that also resolved to your IP and it would be redirected and hit the second server.

                  Is that what you're trying to do?

                  I may have read far to much into this otherwise. If that's not it please explain exactly what you need to happen.

                  Steve

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    Havok @stephenw10
                    last edited by

                    Hello Steve

                    Yes all my web sites are on IIS 10 but inside IIS I have a redirect for my hobby site. say domain-name.com to www.domain-name.com. Before pfsense it worked very well, but like you stated and I have seen in the browser url it does change to the www. But most likely the hobby IIS 7.5 is not being able to send a packet back.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      It's either because it redirects the browser to use port 8080 and you don't have a port forward for that. In which case just add a port forward for 8080 to 192.168.50.20.

                      Or it redirects the traffic internally and causes an asymmetric route.

                      Try to connect to the site from a know external IP then check the pfSense firewall logs to see what traffic is being blocked. That will tell you what is happening and we can tell you how to resolve it.

                      The 'correct' way to do this though is using a reverse proxy on pfSense directly. That will give you far more control over what goes where. It's more complex to setup though.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • H
                        Havok
                        last edited by

                        Hello Steve

                        I have a port forward set from wan to 192.168.50.20 and it works fine. But not the redirect 80 to 8080

                        Another question while I'm here, how about vlans how do you do port forward on a virtual vlan? If I could do that then port 80 could be used on both web server being on other IP's.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          A VLAN is just like any other interface in pfSense. It would have a different subnet. You can port forward to IPs on it.

                          Not sure how that would help here though.

                          A screenshot of the port forwards you have setup would help here.

                          But seeing what traffic is actually blocked when you try to reach the site will tell us everything.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • H
                            Havok
                            last edited by Havok

                            pf.png

                            Morning Steve

                            Here is your screenshot, I done just about every setting I could do for port forwarding 80 to 8080

                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              And how OLD is that pfsense???

                              Your forwarding 80 to 58.25 already.. How do you think you can forward it to something else?

                              And your rule to forward 8080 doesn't have a linked firewall rule..

                              But to be honest step 1 should be to get of that clearly EOL version of pfsense.. WTF version is that 2.0? Interface has not looked like that in years and years.

                              edit: Mystic and Wildcat, those are some really old school BBSs ;) Talk about old school and being stuck in the past, hehehe.. While sure it can be fun to provide those.. Doesn't mean your firewall software needs to be OLD as well.. What version of pfsense are you running?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • H
                                Havok
                                last edited by

                                Hello

                                That 8080 to 8080 was just a test to see if in fact it worked and is disabled while testing.

                                As for the version yes old, but I have a newer watch guard box coming next week that supports a hard drive.

                                Version 2.1.2 but next week will be updated to the next to last release. I just wanted to get the port forward nailed down then upgrade to a more up todate release.

                                As for bulletin boards, is I have been running one or two going back to 1988, once it is in your blood it never goes away.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  About the bbs - yeah that is true... Do you have a lot of users of them? Do you host games of BRE.. I would be up for playing some BRE or Tradewars..

                                  I had fired up a copy a while back to try and get some buddies playing BRE.. But it never came to anything.. So I shut it down..

                                  Your forward to 8080 is prob missing firewall rule on the wan.. You can create port forwards all day long, but if the wan rules do not allow the traffic then not going to work.. So post up your wan rules as well.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    Havok
                                    last edited by

                                    Hello John

                                    These days winter time is the busy season. unlike before the Internet and 2 modems with 24 to 40 calls a day. But winter time is the bomb.

                                    afterhours-bbs.com:23

                                    theghettobbs.com:2323

                                    Mystic will be swithed out to wildcat when ansi work is done.

                                    PS I'll install my newer copy of pfsense today on one of the older dell power edge servers.
                                    Also I did make a new rule and still no go.

                                    Thanks

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      Well just troubleshoot the forward for 8080..
                                      https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

                                      If I am understand your setup correctly you have some client from wan side hitting

                                      http://host.domain.tld
                                      This would be port 80, which gets forwarded to 192.168.58.25
                                      On this webserver you sending a meta redirect I would assume telling the client to go to http://host.domain.tld:8080 or maybe it says go to http://otherhost.otherdomain.tld:8080 - doesn't really matter as long if sending to a different fqdn, that fqdn also resolves to pfsense wan IP for the client trying to access.
                                      So pfsense would see traffic to its wan on 8080 and forward that to 192.168.58.50

                                      So validate that the traffic is actually hitting pfsense wan on 8080, simple sniff on wan will show this.
                                      If pfsense sees traffic on 8080 it will send it to 58.50 - so sniff on lan side when doing this, do you see it send the traffic. Does the service on 58.50 respond Does it see the traffic that pfsense sent.. Sniff on the 58.50 box, etc.

                                      As already mentioned above, a much better way to do this would be just reverse proxy.. So depending on the host headers you can send to whatever backend you want, on whatever port you want.

                                      But to do that you would need a current version of pfsense ;) I don't even recall 2.1 even had that ability. 2.1.2 - that came out in early 2014, 5.5 years ago.. Dude!!! WTF? ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Yup. Upgrade. 😉

                                        You will see that port 8080 traffic blocked in the firewall log though as I suggested some time ago. That will confirm the issue. Or just add the rule and restest.

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.