Can't connect to 9443 port on a host in the same subnet

allkemyst

I'll try to simplify it as much as possible so you can understand my problem.
(In advance, I apologize for my English, I'm doing my best )

I built a home serve to host some applications that i have on cloud so far.

All of my servers are hosted in proxmox VM's, and thinking about security, i build a pfsense VM to manage my servers (In the future I will enable IPS).

My PfSense WAN is conected to my ISP router, and its ip is on the DMZ to open all ports, so i can access some applications on the internet to.

All of my servers are behind PfSense, including me, to access my servers directly.

Here is my network scheeme so far:

Home router: Subnet 192.168.1.1/24

PfSense:

• Wan: Static IPV4 (192.168.1.200)

• Lan (Workstations)

  • Subnet: 10.0.0.1/24 | DHCP4 on

• Lan2 (Servers)

  • Subnet: 20.0.0.1/24 | DHCP4 on

Rules on LAN & LAN2
all to all (just for testing, latter i'll improve to more especific rules).

For now, i have 3 servers:

• Debian VM with Postgres (Listens on port 5432) on LAN2 (ip 20.0.0.100)
• Debian VM with aaPanel (Listens on port 80, 443) on LAN2 (ip 20.0.0.110)
• Debian VM with docker/portainer (Listens on port 8000, 9000 and 9443) on Lan2 (ip 20.0.0.120)

All of my servers and me can access internet normaly.

The problem is:
I'm connected on LAN (Subnet 10.0.0.1/24), and i can ssh all my servers normaly.
I can ping all my servers too, and i can access my aaPanel website normaly (port 443).

But i can't acces my portainer container on port 9443. I can ping the server, but cant connect to port 9443.
I try Telnet this port on my computer, no success.
I try to test the port on PfSense, i can reach the port 22, but can't reach the other ports, including 9443.

I try numerous installations and configurations, and 2 fresh installs of pfsense, no success.

The last thing i do is, change my server NIC to my local network, so it gets an ip from my router (192.168.1.x) and are not routed by my pfsense here, and it works. I can access my portainer on port 9443 normaly. The problem is when i get my server behind PfSense.

Even if i get my server in the same subnet as me, i cant reach the ports.

Yes, the ports are open on the server, so i can access normaly in the local network, but cant if i put my server behind pf.

I've been trying to understand it for 3 days, doing new installations, but I still haven't discovered the problem. Could you help the noob here?

johnpoz

@allkemyst said in Can't connect to 9443 port on a host in the same subnet:

Subnet: 20.0.0.1/24 | DHCP4 on

while technically that can work, its a horrible idea to use public IP space internally. Not not just 10.0.1/24 as your lan2 network?

I try to test the port on PfSense, i can reach the port 22, but can't reach the other ports, including 9443.

that screams firewall on that box or your vm host..

To validate this to yourself sniff on your lan 2 interface while you send a test to these ports.. Do you see the traffic leave pfsense, but not get an answer.. But you can ping and ssh works - that screams host firewall to me.

edit: or the config of whatever service this is set to listen on IP 192.168.1.x (whatever your old network was) and not 20.0.0.x

Unless the traffic is routed over pfsense, pfsense has nothing to do with the traffic - if it is routed, maybe your doing a policy route and this is sending traffic out your wan gateway. Without seeing the rules we really have no idea, maybe you set the rule to allow tcp, but this is udp?