Port forwarding port 80 to port 8080



  • Hello all

    Before I reinstalled and started using pfsense, I had port forwarding on IIS 8 port 80 to port 8080

    So this is pretty much what I have:
    From the WAN to IP address 192.168.50.10 to IIS 8 port 80
    Through IIS 8 then it forwards to port 8080 on 192.168.50.20 running ISS port 8080. Now before pfsense it was a snap and working well. I have tried almost every setting to try and get this to work.

    Oh forgot to state 192.168.50. 20 is a VM on VMware and in VMware I have port forwording set to from port 8080 to client 8080.

    Any help may cut my hours shorter on trying to figure this out.



  • pfsense can nat from wan to 192.168.50.10 port 80 but it's IIS 8 responsibility to eventually forward to 192.168.50.20
    wan -> pfsense -> 192.168.50.10:80 -> 192.168.50.20:8080


  • Netgate Administrator

    Can you not just NAT to 192.168.50.20 port 8080 directly though? Why are you going through 192.168.50.10?

    Steve



  • Hello

    Yes I sure can but for someone to use the domain name without :8080 is what I'm looking for, If I put it on a plain network without pfsense it works like it is suppose to windows 2016 IIS 10 IP 192.168.50.10 to Windows 7 IIS 7.5. IP 192.168.50.20 So what ever I'm missing in pfsense is the trouble.

    As for going trough 192.168.50.10 is I am running 10 other PHP & ASPX sites on it.

    Thanks


  • Netgate Administrator

    I think what you're saying is that the first IIS instance redirects to the second one based on the host-header/url in the request?

    If you do that the replies from second server back to the client will go directly and will get blocked by the firewall becaise they don't match the firewall states on the incoming traffic.
    Do you see blocked TCP traffic from 192.168.50. 20 in the firewall log?

    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

    You could apply that workaround or you could use a reverse proxy on the firewall to forward traffic to the correct server based on the host-header. That would be the HAProxy or reverse Squid packages.

    Steve



  • Hello Steve

    I tried but I guess I'm have to have someone teamview into my server. General config has been pretty easy right off the bat, but now your talking PRO talk and it may be or is over my head so far.

    I'll keep at it in the hopes I get lucky but.

    Thank you

    Greg


  • Netgate Administrator

    I mean i your previous setup you could goto a url that resolved to your IP and hit the first webserver. But you could also go to a different url that also resolved to your IP and it would be redirected and hit the second server.

    Is that what you're trying to do?

    I may have read far to much into this otherwise. If that's not it please explain exactly what you need to happen.

    Steve



  • Hello Steve

    Yes all my web sites are on IIS 10 but inside IIS I have a redirect for my hobby site. say domain-name.com to www.domain-name.com. Before pfsense it worked very well, but like you stated and I have seen in the browser url it does change to the www. But most likely the hobby IIS 7.5 is not being able to send a packet back.


  • Netgate Administrator

    It's either because it redirects the browser to use port 8080 and you don't have a port forward for that. In which case just add a port forward for 8080 to 192.168.50.20.

    Or it redirects the traffic internally and causes an asymmetric route.

    Try to connect to the site from a know external IP then check the pfSense firewall logs to see what traffic is being blocked. That will tell you what is happening and we can tell you how to resolve it.

    The 'correct' way to do this though is using a reverse proxy on pfSense directly. That will give you far more control over what goes where. It's more complex to setup though.

    Steve



  • Hello Steve

    I have a port forward set from wan to 192.168.50.20 and it works fine. But not the redirect 80 to 8080

    Another question while I'm here, how about vlans how do you do port forward on a virtual vlan? If I could do that then port 80 could be used on both web server being on other IP's.


  • Netgate Administrator

    A VLAN is just like any other interface in pfSense. It would have a different subnet. You can port forward to IPs on it.

    Not sure how that would help here though.

    A screenshot of the port forwards you have setup would help here.

    But seeing what traffic is actually blocked when you try to reach the site will tell us everything.

    Steve



  • pf.png

    Morning Steve

    Here is your screenshot, I done just about every setting I could do for port forwarding 80 to 8080

    Thanks


  • LAYER 8 Global Moderator

    And how OLD is that pfsense???

    Your forwarding 80 to 58.25 already.. How do you think you can forward it to something else?

    And your rule to forward 8080 doesn't have a linked firewall rule..

    But to be honest step 1 should be to get of that clearly EOL version of pfsense.. WTF version is that 2.0? Interface has not looked like that in years and years.

    edit: Mystic and Wildcat, those are some really old school BBSs ;) Talk about old school and being stuck in the past, hehehe.. While sure it can be fun to provide those.. Doesn't mean your firewall software needs to be OLD as well.. What version of pfsense are you running?



  • Hello

    That 8080 to 8080 was just a test to see if in fact it worked and is disabled while testing.

    As for the version yes old, but I have a newer watch guard box coming next week that supports a hard drive.

    Version 2.1.2 but next week will be updated to the next to last release. I just wanted to get the port forward nailed down then upgrade to a more up todate release.

    As for bulletin boards, is I have been running one or two going back to 1988, once it is in your blood it never goes away.


  • LAYER 8 Global Moderator

    About the bbs - yeah that is true... Do you have a lot of users of them? Do you host games of BRE.. I would be up for playing some BRE or Tradewars..

    I had fired up a copy a while back to try and get some buddies playing BRE.. But it never came to anything.. So I shut it down..

    Your forward to 8080 is prob missing firewall rule on the wan.. You can create port forwards all day long, but if the wan rules do not allow the traffic then not going to work.. So post up your wan rules as well.



  • Hello John

    These days winter time is the busy season. unlike before the Internet and 2 modems with 24 to 40 calls a day. But winter time is the bomb.

    afterhours-bbs.com:23

    theghettobbs.com:2323

    Mystic will be swithed out to wildcat when ansi work is done.

    PS I'll install my newer copy of pfsense today on one of the older dell power edge servers.
    Also I did make a new rule and still no go.

    Thanks


  • LAYER 8 Global Moderator

    Well just troubleshoot the forward for 8080..
    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

    If I am understand your setup correctly you have some client from wan side hitting

    http://host.domain.tld
    This would be port 80, which gets forwarded to 192.168.58.25
    On this webserver you sending a meta redirect I would assume telling the client to go to http://host.domain.tld:8080 or maybe it says go to http://otherhost.otherdomain.tld:8080 - doesn't really matter as long if sending to a different fqdn, that fqdn also resolves to pfsense wan IP for the client trying to access.
    So pfsense would see traffic to its wan on 8080 and forward that to 192.168.58.50

    So validate that the traffic is actually hitting pfsense wan on 8080, simple sniff on wan will show this.
    If pfsense sees traffic on 8080 it will send it to 58.50 - so sniff on lan side when doing this, do you see it send the traffic. Does the service on 58.50 respond Does it see the traffic that pfsense sent.. Sniff on the 58.50 box, etc.

    As already mentioned above, a much better way to do this would be just reverse proxy.. So depending on the host headers you can send to whatever backend you want, on whatever port you want.

    But to do that you would need a current version of pfsense ;) I don't even recall 2.1 even had that ability. 2.1.2 - that came out in early 2014, 5.5 years ago.. Dude!!! WTF? ;)


  • Netgate Administrator

    Yup. Upgrade. 😉

    You will see that port 8080 traffic blocked in the firewall log though as I suggested some time ago. That will confirm the issue. Or just add the rule and restest.

    Steve


Log in to reply