Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirect Error

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 264 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stewart
      last edited by Stewart

      To remotely access our firewalls we set up a rule that state:
      From: Office Alias
      To: Remote WAN IP
      On: A defined off port
      Redirects: To LAN IP on port 443
      We do this as it protects the remote network from external logins and allows port 443 to be redirected and used for other services if needed.

      One of the System Patches (haven't looked, don't know which one) now flags a redirect or referral error and tells us that we need to go to System->Advanced->Admin Access and check the box to disable Browser HTTP_REFERER enforcement. I just applied the patches remotely a firewall and it gave me that error. We can still get to it on port 80 and once I did, now I can get in on the off port without an error. I didn't have to make any changes. I'm fairly certain the way we do it is secure but I don't want to open up these units for convenience so I'd rather not disable that feature if possible.

      Can anyone suggest to me the safest way to move forward on this?

      Edit: I just installed the System Patches Package on another unit and installed the patches 1 by 1. The error didn't show up. I've had it appear on 2 other units so far so I'm a bit confused.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What pfSense version?

        I'm not aware of any patch that should affect that though.
        Had you disabled the check before applying the patches? Or added any additional hostnames? Are you accessing it by the WAN IP directly?

        Steve

        S 1 Reply Last reply Reply Quote 0
        • S
          Stewart @stephenw10
          last edited by

          @stephenw10
          It's 2.7.2. Disabling that does fix the issue. We have dozens of units that we've been using for probably 10 years now and it has only started recently. I don't know what triggered it the first time. The second time it was immediately after installing the System Patches package and applying all patches.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            And are you accessing it by IP directly or by hostname? If it's hostame what does that resolve to and does that firewall actually have that hostname?

            It sounds like it may be correctly triggering, in which case the question becomes why wasn't it before?

            1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @Stewart
              last edited by Bob.Dig

              @Stewart I think you should access the firewall on the WAN-interface and not do a redirect to the LAN-interface?

              But then, I always need to Disable HTTP_REFERER enforcement check if I am accessing the firewall on an IP-Address not known to the firewall itself. Maybe @stephenw10 can elaborate on this.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Well, yes, I expect to have to disable it in many of those situations which is why it's curious it was working before.

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @stephenw10
                  last edited by

                  @stephenw10 Interestingly, if I make the unknown IP-address an IP Alias VIP on WAN, I don't need to disable this.

                  In the DHCP Client Configuration on WAN there is a field called "Alias IPv4 address" but that doesn't do it.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Yes, if the IP address exists on the firewall it should allow it. So that includes virtual IPs.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.