• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

cant get access from outside to webpage

General pfSense Questions
haproxy acme firewall rules
2
19
1.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pooperman @stephenw10
    last edited by Apr 26, 2020, 2:38 PM

    @stephenw10

    ISP router just has port forward on 80 and 443 to 192.168.1.120 (wan of pfSense). nothing else is configured there.
    Anyhow, also tried with phone over cell network( vpn deactivated ;-) ), same result

    I still think, that something in the pfsense settings is not correct.

    below NAT tablelogin-to-view

    looks good to me, there should nothing interupt the traffic related to my issue

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Apr 26, 2020, 2:42 PM

      Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?

      Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?

      Steve

      P 2 Replies Last reply Apr 26, 2020, 2:45 PM Reply Quote 0
      • P
        pooperman @stephenw10
        last edited by Apr 26, 2020, 2:45 PM

        @stephenw10 said in cant get access from outside to webpage:

        Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?

        Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?

        Steve

        when I took the screenshot I moved back to have the initial state. During testing rules were on and openVPN off.

        Give me a few minutes, will set it up and show the log files.

        1 Reply Last reply Reply Quote 0
        • P
          pooperman @stephenw10
          last edited by Apr 26, 2020, 3:01 PM

          @stephenw10

          Rules are enabled
          login-to-view

          that is the page from LAN view
          login-to-view

          that is the log
          login-to-view

          I know there is a different view for logs, which can be copied, but i cant find it.

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by Apr 26, 2020, 3:28 PM

            If you enable logging on those pass rules on those pass rules then traffic that is matched and passed will be shown in the firewall log.

            However you can see from the state counters there that nothing had been passed by them when that screenshot was taken.

            It looks like no traffic is arriving on the WAN for ports 80 or 443. Check the ISP router is actually passing it.

            Steve

            P 2 Replies Last reply Apr 26, 2020, 3:40 PM Reply Quote 0
            • P
              pooperman @stephenw10
              last edited by Apr 26, 2020, 3:40 PM

              @stephenw10
              i am very sure it is not related to ISP router, as port 443 for openvpn never had any issues.

              however, i put it into DMZ mode, so there is absolutely nothing what might block it.

              still no sucess.

              1 Reply Last reply Reply Quote 0
              • P
                pooperman @stephenw10
                last edited by Apr 26, 2020, 4:03 PM

                @stephenw10
                when I use anschreikurse.duckdns.org from phone I get a warning for certificate is untrusted. I checked the cert and it is the root CA from pfSense.

                If I click yes continue unsafe, it shows me loginpage of pfsense.

                So that shows me, isp router is working fine and dns resulution is also working

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Apr 26, 2020, 4:24 PM

                  I assume that screenshot was taken before you had tested that then as there are no connections shown.

                  Ok, you will need to change the port the pfSense GUI is listening on in Sys > Adv > Admin Access. You cannot have nginx and HAProxy both listening on 443.
                  HAProxy will logged that. It would have failed to start the frontend on 443.

                  Steve

                  P 1 Reply Last reply Apr 26, 2020, 4:31 PM Reply Quote 0
                  • P
                    pooperman @stephenw10
                    last edited by Apr 26, 2020, 4:31 PM

                    @stephenw10
                    good point!

                    i havent seen any notification but yes makes sense. so pfsense login is now on different port.

                    I came to the setting nat reflection mode for port forwards under admin advanced

                    it is set to disabled. is that correct?

                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Apr 26, 2020, 4:42 PM

                      That's the default setting. You do not need NAT reflection here at all, HAProxy proxies the traffic is does not forward it.

                      Steve

                      P 1 Reply Last reply Apr 26, 2020, 5:04 PM Reply Quote 0
                      • P
                        pooperman @stephenw10
                        last edited by Apr 26, 2020, 5:04 PM

                        @stephenw10

                        ok got it.

                        now I get 503 service unavailable

                        1 Reply Last reply Reply Quote 0
                        • S
                          stephenw10 Netgate Administrator
                          last edited by Apr 26, 2020, 5:04 PM

                          With the correct certificate?

                          P 1 Reply Last reply Apr 26, 2020, 5:06 PM Reply Quote 0
                          • P
                            pooperman @stephenw10
                            last edited by Apr 26, 2020, 5:06 PM

                            @stephenw10

                            I think so

                            login-to-view
                            cert is for anschreikurse.duckdns.org

                            haproxy frontend is also for anschreikurse.duckdns.org
                            backend is nc.anschreikurse.duckdns.org

                            P 1 Reply Last reply Apr 26, 2020, 5:25 PM Reply Quote 0
                            • P
                              pooperman @pooperman
                              last edited by Apr 26, 2020, 5:25 PM

                              @pooperman

                              there is some issue with SSL handshake:

                              login-to-view

                              1 Reply Last reply Reply Quote 0
                              15 out of 19
                              • First post
                                15/19
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.