Big issues running IIS behind PFSense.

GruensFroeschli

What should the external address be?
It's the same as in the screenshot you just showed.
Could it be, that you're using VIPs and used the wrong IP for the mapping?

danswartz

wallaby. i am using the standard HTTPS port.  Given the webgui is not listening on the WAN anyway, I never understood this concern - it certainly does not affect my config.

danswartz

i don't know what the two loopback redirects are for, but they are on the lan, not the wan.  as far as the IP in the rules being different, this is because the rdr (which rewrites the WAN IP to the forwarded LAN IP) is done before the access check.  sounds like your config is all buggered up.  i would try reinstalling from scratch (and not restoring the config, type it in from scratch, since it looks small.)  no, bypassing the gui is not usual, if you don't want that, you should build your own openbsd firewall from scratch, it has nothing but the CLI…

pseudonym

I shall try another reinstall.. This is already install 3.  This is a really un-good situation.  I have PFSense routers installed at schools all over the province, if this is an issue.. then I seriously have to consider removing them and going with a different solution…

major bummer =(.

Any other suggestions?

danswartz

Well, I am mystified.  You are not installing packages or anything?  It's hard to believe this stuff is just happening out of left field :(

wallabybob

@danswartz:

Well, I am mystified.  You are not installing packages or anything?  It's hard to believe this stuff is just happening out of left field :(

Could we be looking at the problem in the wrong way? Does "Page Can't be Displayed" indicate a problem connecting to the server? a problem downloading data from the server?

Comments so far seem to have concentrated on the possibility of failure to connect to the server. Is their some independent verification that is the problem? (Does the server log incoming connections?)

pseudonym

Packets are not hitting the webserver at all when I have PFSense as as the router.  I am certain that the webserver is at least functional as it works fine when using a different router.

I am going to try a full reinstall… completely base (This install should have already been pretty basic as I reset and reconfiged with only the two rules).  I will give it another go and report back with a full dmesg and rules listing.

In the meantime.. is ANYONE running PFSense in front of a IIS server hosting multiple websites???  Does anyone know how PFsense handles Host Header Names?

This can't be an issue that only I am having...

GruensFroeschli

@pseudonym:

In the meantime.. is ANYONE running PFSense in front of a IIS server hosting multiple websites???  Does anyone know how PFsense handles Host Header Names?

I'm not running IIS, but pfSense is completly ignoring anything related to host header names.
It simply forwards the packets specified in the NAT rule.

Supermule

Do you mean multiple webservers with sites or just multiple sites on one webserver???

PFSense doesnt have Layer7, but I do not have any problems forwarding all my port 80 traffic to an ISA Server who has Layer7.

One webserver behind PFsense is absolutely no problem… I can do that for you in 5 minutes via an remote session. No problems...

pseudonym

It is one webserver, Win2k8 running IIS 7.5.  It is hosting a couple websites (EX: Fintrycroft.ca, corporatesecurityconsulting.ca).

Should be as easy as forwarding port 80 to the correct internal IP, but for some reason it isn't working….

Supermule

And it is loading the interfaces and assign them correctly??

pseudonym

Yup.  No other issues at all.  I don't have load balancing setup, the only thing that has been configured is a port forward for MS-RDP and HTTP and the associated rules which were generated automatically.  Both forwards are going to the same machine and the MS-RDP is working perfectly.  Interfaces are assigned correctly and are working.  NAT is working (I am behind the firewall writing this).  WebGUI is on a non-standard port and packets are NOT being forwarded to the webserver… no idea why =(.

EDIT:  added dmesg from last reboot in a file.

dmesg.txt

Affiliated

I Managed it to setup an IIS behinde a pfsense, and have had no problems. On the IIS are 2 websites hosted and identified by their domain.

But i have to say that iam not very familiar with Webservers and their headers and so on. It has been a while since this setup. I think it was 1.2.3-RC2 we used for this.

Regards from Germany

dotdash

I've had Apache servers running virtual hosts behind pfSense for years. I doubt that you have uncovered an undiscovered problem with the software. These things can be frustrating, but you need to look at your setup carefully and methodically to see if perhaps you have made an error. Try re-configuring from scratch and note the steps you used. Pfsense configuration may be different than what you are used to from working with other firewalls.

pseudonym

@Affiliated:

I Managed it to setup an IIS behinde a pfsense, and have had no problems. On the IIS are 2 websites hosted and identified by their domain.

But i have to say that iam not very familiar with Webservers and their headers and so on. It has been a while since this setup. I think it was 1.2.3-RC2 we used for this.

Regards from Germany

I am not a huge web-head myself.  That is pretty much exactly the same thing that I want to do.  Did you do anything at all other than forward port 80?

rpsmith

I believe the 404 error you are getting is coming from your IIS server so I don't think you are having a firewall issue or you wouldn't be seeing a 404 error.

Roy…

http://www.404errorpages.com/

wallabybob

@rpsmith:

I believe the 404 error you are getting is coming from your IIS server so I don't think you are having a firewall issue or you wouldn't be seeing a 404 error.

This doesn't fit with
@pseudonym:

Packets are not hitting the webserver at all when I have PFSense as as the router.

Are there (have there been?) two distinct problems?

pseudonym

Double checked the IIS server.  Found that the bindings needed to be changed.  I can now surf, without any issue internally using the FQDN.. however, still getting a 404 when I try to access externally.

The 404 error is the reason that I suspected that the issue may be the way that PFSense handles Host Header Name info.. if it is just forwarding the request to the server, and somehow stripping the Host Header Name info so that it is requesting the default page of the site rather than the specific site…

As I said earlier.. if I swap out for a box standard Linksys router it works with no changes to the IIS server.. Again, just a single port forward to the server....

I am also seeing the packets pass in the logs (I logged the rule) and I am seeing it pass the traffic now.. There has to be some simple setting that I am missing here.

EDIT: Just for info.. I am NOT running RDNS on this site and DNS is handle entirely externally... Do I need to setup a DNS server internally??  If so.. why would it work without one with the linksys???  scratches head... hair falls out

wallabybob

@pseudonym:

Double checked the IIS server.  Found that the bindings needed to be changed.  I can now surf, without any issue internally using the FQDN.. however, still getting a 404 when I try to access externally.

I don't know IIS but I would presume that a production web server would have some means of getting it to explain why it sends a 404 response. (Maybe change log settings and restart.)

EDIT: Just for info.. I am NOT running RDNS on this site and DNS is handle entirely externally… Do I need to setup a DNS server internally??  If so.. why would it work without one with the linksys???  scratches head... hair falls out

I don't get the relationship between DNS and a "Page not found" error. Please explain.

GruensFroeschli

The 404 error is the reason that I suspected that the issue may be the way that PFSense handles Host Header Name info.. if it is just forwarding the request to the server, and somehow stripping the Host Header Name info so that it is requesting the default page of the site rather than the specific site…

The pfSense doesnt handle anything at all.
It is completly clueless about what it is transfering.

One thing that could be something:
Under "system –> general setup" what did you set for the "Domain" field?
If the server gets it's IP dynamically (pseudo static) from the pfSense, then this part will be assigned to the DHCP clients as connection specific suffix

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : gruensfroeschli.mine.nu
        IP Address. . . . . . . . . . . . : 10.0.8.11
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.0.8.1

wallabybob

I don't know about IIS, but I have recollections from some months ago that if the local hostname changes it may be necessary to change the Apache configuration file in sympathy.

pseudonym

Okay.. something has happened and it does appear to be an automagic type thing.  Don't know how but it is now working!  W00t!.. I think LOL!

Anyhow, thanks for all the help guys!  It is mucho appreciated!