• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to forward port 80 and 443 on pfSense to a (internal) nginx webserver?

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 2 Posters 6.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CodeNinja
    last edited by CodeNinja Jun 12, 2020, 1:32 PM Jun 12, 2020, 11:45 AM

    Yesterday we did a "big bang" firewall switch in our company. Our new firewall is a pfSense server.
    Lets say our external ip is 84.1.1.1, pfSense is 192.168.1.1 and our web server ip is 192.168.1.2.


    After we made the "big switch", the pfSense interface was responding on https://84.1.1.1, this is not intended as we want to use https://84.1.1.1 (port 443) for our web server. For this reason i changed the pfSense port from 443 to 444 which "solved" this issue as port 443 is "free" for other services now.

    We won't allow access to the pfSense interface from our external ip at all but that is another problem which is off topic.


    Now i wan to forward port 443, 80 (and in future some more) to servers in our network. For this i first want to explain how i configured the WAN connection as i noticed something.

    I tried to ping (with the pfSense ping diagnostic tool) from WAN1 (our WAN) to the web server. This did not work which means that my port forwarding also cant work at all. I think that pfSense tries to resolve this ping request via its gateway so i tried to set the gateway of WAN1 to none and from this moment on i can ping the webserver from WAN1 (via the pfSense ping diagnose tool).

    Question: Do i need to set a Gateway to our WAN1? I suppose yes? And if yes, do i need to make some exclusions for internal network somewhere? Just as extra info, maybe its required, we have a static IP which directly hangs on pfSense...

    pfSense configuration

    WAN INTERFACE
    	<wan>
    		<if>igb0</if>
    		<descr><![CDATA[WAN1]]></descr>
    		<alias-address></alias-address>
    		<alias-subnet>32</alias-subnet>
    		<spoofmac></spoofmac>
    		<enable></enable>
    		<ipaddr>84.1.1.1</ipaddr>
    		<subnet>30</subnet>
    		<gateway>WAN1GW</gateway>
    	</wan>
    
    GATEWAY
    	<gateways>
    		<defaultgw4>WAN1GW</defaultgw4>
    		<defaultgw6></defaultgw6>
    		<gateway_item>
    			<interface>wan</interface>
    			<gateway>84.1.1.2</gateway>
    			<name>WAN1GW</name>
    			<weight>1</weight>
    			<ipprotocol>inet</ipprotocol>
    			<descr><![CDATA[WAN1 gateway]]></descr>
    		</gateway_item>
    	</gateways>
    	
    OUTBOUND NAT RULES
    	<nat>
    		<outbound>
    			<mode>advanced</mode>
    			<rule>
    				<source>
    					<network>10.128.10.0/24</network>
    				</source>
    				<sourceport></sourceport>
    				<descr><![CDATA[Auto created rule for ISAKMP - AXN_INTRA to WAN1]]></descr>
    				<target></target>
    				<targetip></targetip>
    				<targetip_subnet></targetip_subnet>
    				<interface>wan</interface>
    				<poolopts></poolopts>
    				<source_hash_key></source_hash_key>
    				<staticnatport></staticnatport>
    				<disabled></disabled>
    				<destination>
    					<any></any>
    				</destination>
    				<dstport>500</dstport>
    				<created>
    					<time>1589543460</time>
    					<username><![CDATA[Manual Outbound NAT Switch]]></username>
    				</created>
    				<updated>
    					<time>1591883208</time>
    					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
    				</updated>
    			</rule>
    			<rule>
    				<interface>wan</interface>
    				<source>
    					<network>10.128.11.0/24</network>
    				</source>
    				<dstport>500</dstport>
    				<target></target>
    				<destination>
    					<any></any>
    				</destination>
    				<staticnatport></staticnatport>
    				<descr><![CDATA[Auto created rule for ISAKMP - AXN_SRV to WAN1]]></descr>
    				<created>
    					<time>1589888715</time>
    					<username><![CDATA[Manual Outbound NAT Switch]]></username>
    				</created>
    				<disabled></disabled>
    			</rule>
    			<rule>
    				<source>
    					<network>10.128.20.0/24</network>
    				</source>
    				<sourceport></sourceport>
    				<descr></descr>
    				<target></target>
    				<targetip></targetip>
    				<targetip_subnet></targetip_subnet>
    				<interface>wan</interface>
    				<poolopts></poolopts>
    				<source_hash_key></source_hash_key>
    				<destination>
    					<any></any>
    				</destination>
    				<updated>
    					<time>1590582795</time>
    					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
    				</updated>
    				<created>
    					<time>1590582795</time>
    					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
    				</created>
    			</rule>
    			<rule>
    				<source>
    					<network>10.128.10.0/24</network>
    				</source>
    				<sourceport></sourceport>
    				<descr></descr>
    				<target></target>
    				<targetip></targetip>
    				<targetip_subnet></targetip_subnet>
    				<interface>wan</interface>
    				<poolopts></poolopts>
    				<source_hash_key></source_hash_key>
    				<destination>
    					<any></any>
    				</destination>
    				<updated>
    					<time>1591883222</time>
    					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
    				</updated>
    				<created>
    					<time>1591883222</time>
    					<username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
    				</created>
    			</rule>
    			<rule>
    				<source>
    					<network>10.128.12.0/24</network>
    				</source>
    				<sourceport></sourceport>
    				<descr><![CDATA[Default NAT rule for axn_cloud]]></descr>
    				<target></target>
    				<targetip></targetip>
    				<targetip_subnet></targetip_subnet>
    				<interface>wan</interface>
    				<poolopts></poolopts>
    				<source_hash_key></source_hash_key>
    				<destination>
    					<any></any>
    				</destination>
    				<created>
    					<time>1589896652</time>
    					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
    				</created>
    				<updated>
    					<time>1590140198</time>
    					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
    				</updated>
    			</rule>
    			<rule>
    				<source>
    					<network>10.128.11.0/24</network>
    				</source>
    				<sourceport></sourceport>
    				<descr><![CDATA[Default NAT rule for axn_srv]]></descr>
    				<target></target>
    				<targetip></targetip>
    				<targetip_subnet></targetip_subnet>
    				<interface>wan</interface>
    				<poolopts></poolopts>
    				<source_hash_key></source_hash_key>
    				<destination>
    					<any></any>
    				</destination>
    				<created>
    					<time>1589888715</time>
    					<username><![CDATA[Manual Outbound NAT Switch]]></username>
    				</created>
    				<updated>
    					<time>1590140250</time>
    					<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
    				</updated>
    			</rule>
    		</outbound>
    	</nat>
    

    About the forwarding itself, i configured it like this:

    enter image description here
    as i set Filter rule association to Add associated filter rule during the creation of the Port forward, pfSense automatically created the corresponding/required firewall rule on the WAN1 port.

    enter image description here

    Question: Do i need some additional configurations to forward port 443 and 80 near the configuration i already did? (the port forward and creating the required firewall rules)

    1 Reply Last reply Reply Quote 0
    • D
      DaddyGo
      last edited by DaddyGo Jun 12, 2020, 1:36 PM Jun 12, 2020, 1:12 PM

      @CodeNinja said in How to forward port 80 and 443 on pfSense to a (internal) nginx webserver?:

      just one comment and one question at a time:

      Why don't you put the web server in a "internal protected zone" and run a WAF in front of it (https://www.modsecurity.org/)

      note1: you can put the pfSense port anywhere, it is not advisable to keep it in the lower range (444) put it in the custom range 56443, 52443 or anywhere
      (scanners are lazy looking only at lower port ranges, which are trivial)

      note2: you "blackout" things that are not relevant, like

      842deac4-1352-4dc5-8de4-26443f91d92a-image.png

      it remains visible: ☺ ✋

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      C 1 Reply Last reply Jun 12, 2020, 1:30 PM Reply Quote 1
      • C
        CodeNinja @DaddyGo
        last edited by Jun 12, 2020, 1:30 PM

        @DaddyGo

        Why don't you put the web server in a "internal protected zone" and run a WAF in front of it (https://www.modsecurity.org/)

        This is just an example setup. When this works i will set a proxy in the DMZ which routes traffic to the correct firewall. Though i will definitely take a look at WAF, i don't know this.

        note1: you can put the pfSense port anywhere, it is not advisable to keep it in the lower range (444) put it in the custom range 56443, 52443 or anywhere

        (scanners are lazy looking only at lower port ranges, which are trivial)

        Thanks, i updated the port. I will also disable external access to pfSense in nearby future so its not available from the internet anymore.

        it remains visible:

        Damn, how stupid from me, i changed it. Could you please remove the image from your post as well? thanks in advance!

        just one comment and one question at a time:

        Do i need to remove this one and post a new one? or is it fine for this time?

        I figured out that only forwarding port 443 and 80 is not working as the OpenVPN port forwarding works fine!

        D 1 Reply Last reply Jun 12, 2020, 1:38 PM Reply Quote 0
        • D
          DaddyGo @CodeNinja
          last edited by Jun 12, 2020, 1:38 PM

          @CodeNinja

          the proxy would have been my next suggestion

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          C 1 Reply Last reply Jun 12, 2020, 1:40 PM Reply Quote 0
          • C
            CodeNinja @DaddyGo
            last edited by Jun 12, 2020, 1:40 PM

            @DaddyGo

            the proxy would have been my next suggestion

            Ok, thanks but this has nothing to do with the problem i have doesn't it?
            I mean with or without proxy, port 443 should be able to be forwarded?

            Only port 443 does not work, our OpenVPN server for example uses a port in the 2000 and that forward works fine as the clients are connection without any issue

            D 1 Reply Last reply Jun 12, 2020, 1:49 PM Reply Quote 0
            • D
              DaddyGo @CodeNinja
              last edited by Jun 12, 2020, 1:49 PM

              @CodeNinja

              you understand exactly

              if you use an internal web server, why control the ports?
              what does "internal" mean to you? (intranet)

              443 can be said to be a very well known port ☺

              for example, I use a reverse proxy for certain web or other web-based services (IceCast, etc.)

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              C 1 Reply Last reply Jun 12, 2020, 1:51 PM Reply Quote 0
              • C
                CodeNinja @DaddyGo
                last edited by CodeNinja Jun 12, 2020, 1:53 PM Jun 12, 2020, 1:51 PM

                @DaddyGo
                Ok, i understand what you mean. Maybe internal should not be there as the webserver should be accessible from the internet. I ment that its a server in our own network.

                Unfortunately i cannot update my question:
                -> Post content was flagged as spam by Akismet.com

                D 1 Reply Last reply Jun 12, 2020, 2:02 PM Reply Quote 0
                • D
                  DaddyGo @CodeNinja
                  last edited by DaddyGo Jun 17, 2020, 8:40 AM Jun 12, 2020, 2:02 PM

                  @CodeNinja

                  in this case, DMZ + WAF will be your good friend
                  something like this that I can suggest:

                  • OS: Debian 10.x (Buster) 64bit
                  • Apache Worker, factory package
                  • Mod Security apache module with OWASP rules, factory package
                  • PHP-FPM 7.3 or rather 7.4 if it goes with everything but definitely 1 version
                  • PHP can only write where we allow it, ie it stays on the www-data user
                  • firewall inbound to CF IPs is limited to http and https, just as SSH access is also severely limited (http can be completely
                  disabled by likely, CF solves http-> https redirect)
                  • SSH access is password protected + Cert.
                  • firewall to the outside, by default everything that is needed (external APIs and their counterparts) is enabled separately
                  • hosting-type access via SFTP, SSH, although shell access may be possible

                  CF = CloudFlare (https://www.cloudflare.com/plans/)

                  edit: we have had such web servers for years, nothing is secure, but we try to make it that way

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  1 Reply Last reply Reply Quote 1
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received