Just trying to forward 443 to an internal server
-
@johnpoz when enabled on 443 I can externally get to the pfsense web interface, but when I swap it and try the port forward I get nothing. Specifically I don't even see packets in the packet capture relating to 443.
I noticed this rule didn't have any traffic this whole time, but I'm not sure what to make of it.
I know I'm using the right IP address to access it. -
@combat_wombat27 do simple sniff test.. Do you see your port hit your wan? If so then sniff on your lan - do you see it send it on or not?
Finding where you have your problem should take all of about 30 seconds..
If you want to forward 443, its a good idea to make sure pfsense web gui is not using 443, but some other port.. I have pfsense web gui https on 8443 for example.
-
@johnpoz Sorry, I must have not been clear. When I ran that on the open port check tool I also did a little packet capture. I didn't see any 443 traffic in it whatsoever.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I didn't see any 443 traffic in it whatsoever.
then its not getting to you - how can pfsense forward what it doesn't see.
What do you have in front of pfsense - is it doing nat? Is your isp using cgnat, ie does your wan IP of pfsense start with 100.64-127.x.x
-
@johnpoz understood, but how can it show me the web UI on 443 if it can't receive packets on 443?
-
@combat_wombat27 it can't but you can for sure access your pfsense from the lan via its wan IP, etc..
If you send traffic to say port 4443 and you don't see it on your sniff test on wan, then there is no possible way you can send that traffic anywhere - because pfsense never saw it..
Validate your pfsense wan is actual public IP, and not rfc1918 or cgnat range - 100.64-127.x.x
-
Here are my packet capture settings for reference in case I did it wrong.
-
@combat_wombat27 no that looks correct.. If your not seeing anything with that sniff, then its not possible for pfsense to forward what it doesn't see
edit: I just tried to access 443 from the IP your connecting to forum with, and get no response..
-
@johnpoz So that is what I'm saying. It was able to see the traffic when the Web Gui was set to 443 just fine. It is only now that it is having issues. Gimme a sec and I'll check the WAN.
-
@johnpoz Wait, if I'm reading this right I DO see 443 traffic. I was reading it wrong. I was reading the number after TCP as port. Not the extra octet on the IP. Let me scan internally now
-
Here is what I'm seeing on the LAN when I run a packet capture and open port checker.
Keep in mind I can get to the web server on 443 just by going to https://192.168.1.4 and it loads without question. I've also tried this with the firewall off.
Also just checked, and the WAN is listing the expected external IP Address.
-
@combat_wombat27 If I'm reading this correctly though this is just showing me traffic of people going to https sites, not something external accessing an internal https site.
-
@combat_wombat27 You need to make sure your sniffing for what your wanting to sniff for, or increase number of packets you capture from the default 100.
I see no traffic "to" 192.168.1.4 port 443, I only see traffic too some public IP on 443 from that picture.
-
@johnpoz okay, I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443. So if I'm understanding properly it is hitting the firewall and not making it past.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
I've done the scan again even though I didn't get 100 packets last time, and still there is no traffic to 192.168.1.4:443
You can not see the internal IP on WAN. This could only be seen on LAN behind NAT.
Simply filter your capture for " > [WAN IP]:443" in the browser.
-
@viragomann No, that is regarding the internal packet capture to see if the traffic made it inside the network. If you check my replies above you will see where I DID see the packets hit the firewall externally.
-
@combat_wombat27 please post your port forward and wan rules, do you have any rules in floating? If so post them as well.
So you know what IP your testing from, say in the sniff on your wan and the can you see me IP.
Now filter on your lan side for this IP and port 443 in your packet capture..
If you say its hitting your wan but not forwarding it, then you have wrong setup in the rules/port forward, or pfsense does not know the mac address of the device your trying to forward too..
Like you saw my test port forward and wan rules.
-
@combat_wombat27 said in Just trying to forward 443 to an internal server:
If you check my replies above you will see where I DID see the packets hit the firewall externally.
Yes, but I cannot see any confirmation that you even get the packets on WAN.
I was assuming that before based on your first posts, but now I'm not sure anymore. -
@viragomann It's pretty simple. There is a pic showing the external packets hitting my external IP on 443. That said, I marked out the external IP address.
-
@combat_wombat27
In this capture 35.x.x.x might be your WAN and it shows also response from it from port 443.
Regarding this it should work well at all. Or did you disable the port forwarding again and is it pfSense responding here?
