WAN 443 requests work, internal 443 request time out, why?



  • Not really sure in which section this should go. Anyway ...

    The setup:
    PfSense on four interfaces -
    WAN on Public IP xxx.xxx.xxx.129/26, 255.255.255.192

    ADMIN (LAN) 172.17.105.0/24
    LAN to any rule in place
    DB 172.17.106.0/24
    DB to DMZ (80,443) allow rule

    DMZ 172.17.107.0/24

    Web server is Window Server 2019 with IIS 10, no rewrite rules on IIS. Redirects are handled in HA Proxy as needed. Private network and public network certs installed on site in DMZ - target.public.net, target.private.local
    Windows Firewall rules of 80,442 apply to all network types (Public, Private, Domain).

    HA Proxy on WAN virtual IP
    DNS forwarding target.public.net -> target.private.local IP

    port 80 and 443 traffic WAN to DMZ through HA Proxy - works (using public URL)

    The following are true regardless of public or private URL

    port 80 traffic from LAN to DMZ (does not go thorugh HA Proxy) - works
    port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respond

    port 80 traffic from LAN to DMZ (does not go thorugh HA Proxy)- works
    port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respond

    port 80 traffic from DMZ to DMZ (does not go thorugh HA Proxy)- works
    port 443 traffic from DMZ to DMZ (does not go thorugh HA Proxy) - works

    Summary:
    Traffic from WAN-side traversing HA Proxy works correctly.
    Traffic from private IP networks (LAN and DB) works fine for port 80 and times out for port 443.

    Wireshark on target server shows traffic from requesting servers port 443 (at least there are packets from the client showing up in the wireshark logs on the server).

    Question: WTF is happening to the 443 requests coming from LAN and DB?
    It makes no sense to me.

    Thanks!
    Paul


Log in to reply