WAN 443 requests work, internal 443 request time out, why?
-
Not really sure in which section this should go. Anyway ...
The setup:
PfSense on four interfaces -
WAN on Public IP xxx.xxx.xxx.129/26, 255.255.255.192ADMIN (LAN) 172.17.105.0/24
LAN to any rule in place
DB 172.17.106.0/24
DB to DMZ (80,443) allow ruleDMZ 172.17.107.0/24
Web server is Window Server 2019 with IIS 10, no rewrite rules on IIS. Redirects are handled in HA Proxy as needed. Private network and public network certs installed on site in DMZ - target.public.net, target.private.local
Windows Firewall rules of 80,442 apply to all network types (Public, Private, Domain).HA Proxy on WAN virtual IP
DNS forwarding target.public.net -> target.private.local IPport 80 and 443 traffic WAN to DMZ through HA Proxy - works (using public URL)
The following are true regardless of public or private URL
port 80 traffic from LAN to DMZ (does not go thorugh HA Proxy) - works
port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respondport 80 traffic from LAN to DMZ (does not go thorugh HA Proxy)- works
port 443 traffic from LAN to DMZ (does not go thorugh HA Proxy)- no joy - target.private.local took to long to respondport 80 traffic from DMZ to DMZ (does not go thorugh HA Proxy)- works
port 443 traffic from DMZ to DMZ (does not go thorugh HA Proxy) - worksSummary:
Traffic from WAN-side traversing HA Proxy works correctly.
Traffic from private IP networks (LAN and DB) works fine for port 80 and times out for port 443.Wireshark on target server shows traffic from requesting servers port 443 (at least there are packets from the client showing up in the wireshark logs on the server).
Question: WTF is happening to the 443 requests coming from LAN and DB?
It makes no sense to me.Thanks!
Paul