NAT+Proxy Reflection mode fails on port 443 due to nginx webConfigurator binding conflict (pfSense 25.07)

jiggier

Summary

NAT+Proxy mode for NAT Reflection on port forwards targeting port 443 no longer functions in pfSense 25.07. The root cause appears to be the webConfigurator's nginx instance binding to *:443 (all interfaces), which prevents xinetd from establishing the proxy listener for NAT reflection.

Environment

• pfSense Version: 25.07.1
• Hardware: Intel-based (Wildcat Point-LP)
• Relevant packages: Nexus, pfBlockerNG-devel, ACME, Avahi, OpenVPN-client-export

Symptoms

• External access (WAN) to port-forwarded services works correctly
• Internal access (LAN hairpin/reflection) fails when NAT Reflection is set to "Enable (NAT + Proxy)"
• TCP connections are accepted but TLS handshake hangs indefinitely
• Switching to "Enable (Pure NAT)" immediately resolves the issue

Diagnostic Evidence

nginx (webConfigurator) is listening on all interfaces for port 443:

# sockstat -l4 | grep 443
root     nginx      40955 5   tcp4   *:443                 *:*
root     nginx      40662 5   tcp4   *:443                 *:*
root     nginx      40551 5   tcp4   *:443                 *:*

nginx configuration confirms binding to all interfaces:

# cat /var/etc/nginx-webConfigurator.conf | grep listen
        listen 443 ssl;
        listen [::]:443 ssl;
        listen 80;
        listen [::]:80;

xinetd logs show services being killed during reconfiguration:

Dec 10 02:30:39 pfs xinetd[34103]: Sending signal 9 to 19009-tcp server 39244
Dec 10 02:30:39 pfs xinetd[34103]: Sending signal 9 to 19009-tcp server 49600
Dec 10 02:30:39 pfs xinetd[34103]: service 19009-tcp deactivated
Dec 10 02:30:39 pfs xinetd[34103]: service 19010-tcp deactivated
Dec 10 02:30:39 pfs xinetd[34103]: Reconfigured: new=0 old=9 dropped=2 (services)

Steps to Reproduce

1. Configure a port forward: WAN 443 → internal host port 1443
2. Set NAT Reflection to "Enable (NAT + Proxy)" on the rule
3. From a LAN client, attempt to access the service via the WAN IP or external domain
4. Connection will hang after TCP handshake

Expected Behavior

NAT+Proxy reflection should work as it did in previous pfSense versions, allowing LAN clients to access port-forwarded services via the public IP.

Actual Behavior

xinetd cannot bind to port 443 for the reflection proxy because nginx (webConfigurator) already occupies *:443 on all interfaces. TCP connections are accepted by nginx but fail because nginx doesn't know how to handle the traffic.

Workaround

Use "Enable (Pure NAT)" instead of "Enable (NAT + Proxy)" for NAT Reflection. This works correctly and is arguably the better solution anyway, but the NAT+Proxy option should either work or be documented as incompatible with the default webConfigurator configuration.

Suggested Fix Options

1. Bind nginx/webConfigurator to specific interfaces (e.g., LAN only) rather than *:443
2. Add a GUI option under System → Advanced → Admin Access to configure webConfigurator interface binding
3. Document this limitation in the NAT+Proxy mode description
4. Have xinetd use alternative ports for reflection when 443 is occupied

Additional Notes

This appears to be a regression from the switch to nginx for the webConfigurator in pfSense 25.x. Previous versions using lighttpd may have had different binding behavior. The lack of a "Listen on interfaces" option in Admin Access settings means users cannot resolve this conflict without changing the webGUI port or using Pure NAT mode.