Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN 443 requests work, internal 443 request time out, why?

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 102 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pstine
      last edited by

      Not really sure in which section this should go. Anyway ...

      The setup:
      PfSense on four interfaces -
      WAN on Public IP xxx.xxx.xxx.129/26, 255.255.255.192

      ADMIN (LAN) 172.17.105.0/24
      LAN to any rule in place
      DB 172.17.106.0/24
      DB to DMZ (80,443) allow rule

      DMZ 172.17.107.0/24

      Web server is Window Server 2019 with IIS 10, no rewrite rules on IIS. Redirects are handled in HA Proxy as needed. Private network and public network certs installed on site in DMZ - target.public.net, target.private.local
      Windows Firewall rules of 80,442 apply to all network types (Public, Private, Domain).

      HA Proxy on WAN virtual IP
      DNS forwarding target.public.net -> target.private.local IP

      port 80 and 443 traffic WAN to DMZ through HA Proxy - works (using public URL)

      The following are true regardless of public or private URL

      port 80 traffic from LAN to DMZ (does not go thorugh HA Proxy) - works
      port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respond

      port 80 traffic from LAN to DMZ (does not go thorugh HA Proxy)- works
      port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respond

      port 80 traffic from DMZ to DMZ (does not go thorugh HA Proxy)- works
      port 443 traffic from DMZ to DMZ (does not go thorugh HA Proxy) - works

      Summary:
      Traffic from WAN-side traversing HA Proxy works correctly.
      Traffic from private IP networks (LAN and DB) works fine for port 80 and times out for port 443.

      Wireshark on target server shows traffic from requesting servers port 443 (at least there are packets from the client showing up in the wireshark logs on the server).

      Question: WTF is happening to the 443 requests coming from LAN and DB?
      It makes no sense to me.

      Thanks!
      Paul

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.