Port forward with webserver behind pfsense

macaruchi · Nov 29, 2023, 3:45 AM

My current issue I am running into is fowarding http to one of my webservers. Currently, my network is setup as followed:

ISP Provided Router -> Pfsense firewall -> webserver.

My question is, how would I go about forwarding port 443 to allow my webserver to be accessed outside of my network? Would I need to forward 443 to my firewall from the ISP router to pfsense, then forward the port in pfsense to the webserver?

How can I do that ?

SteveITS · Nov 29, 2023, 3:51 AM

@macaruchi yes.

Many ISP routers have a DMZ option or ways to forward single ports.

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards

macaruchi · Nov 29, 2023, 3:57 AM

@SteveITS
Hi!
Somebody told me that I need to port forwanrd to pfSense from router and from pfSense to webserver.

I try to do a port forward into router addressing to LAN webserver but this doesnt work

SteveITS · Nov 29, 2023, 4:02 AM

@macaruchi can you show screenshots from both? Done correctly it does work. :)

https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

Gertjan · Nov 29, 2023, 7:37 AM

@macaruchi said in Port forward with webserver behind pfsense:

Somebody told me

Be nice to them. Smile, and make the conversation short.
Then go to the URLs like shown above : https://docs.netgate.com/pfsense/en/latest/nat/, as, what knows better as the authors of the product you use ?

I'll add a trick :
Go to :

and select "WAN", "TCP" and port "443" as shown.
Hit Start at the bottom, and keep an eye on the results shown at the bottom of the page.
Initially, it will stay empty : no results.

Now, as per your ISP instructions, as they have the info about how to add a NAT rule in your ISP router.
Or, as proposed above : activate the DMZ mode.

While visiting the GUI of your ISP router, take note of it's WAN-IPv4.

Get a phone ready. Disable ( !! ) the Wifi on this phone ( !! ).
Open a browser on your phone, and enter https://WAN-IPv4 (like https://1.2.3.4).

If all went well : you've set up correctly the NAT (or DMZ, you should prefer NAT, though) on your ISP router, the pfSense Diagnostic windows starts to show lines ...
The browser on your phone will shows errors of course, as no web browser is answering at the moment, but you know now traffic reaches the pfSense WAN network port.

From here : https://docs.netgate.com/pfsense/en/latest/nat/ is all yours.

macaruchi · Nov 30, 2023, 8:59 PM

@Gertjan
I did what you told me, thks, but I cant access the webserver yet :(
These are my rules

Rule Port Forward

The Capture works

SteveITS · Nov 30, 2023, 10:10 PM

@macaruchi The last rule there is the linked rule ("NAT jce").

The circled rule allows your pfSense WAN subnet to access LAN. Though it probably wouldn't actually function unless something on that network was routing packets intended for your LAN subnet to your pfSense WAN IP.

You've allowed * to access "WAN2_CENSOL address" meaning anything can access pfSense on ports 22/80/443/other. Since that includes 8443 I don't think it will also forward 8443 on via the NAT rule. Note that rule has 27.3 MB of traffic.