Aliases in Port forward - just a question

joergherzinger

I am currently switching from a ZyXel Firewall to pfSense (1.2.3) and found a little glitch that I wanted to tell you about so that it won't exist in the 2.0 release.
When adding a port forward rule for NAT  with an alias on the ports it seems that a stange port precedence is done. If I do have an alias for WebPorts with ports 80 and 443 (in that order) and I want to access my webserver through its domain name https://sub.domain.com (no split DNS but NAT reflection) from behind my firewall (same subnet as my webserver) Firefox throws out an ssl error. If you change the order of the ports in the alias (443 first, then 80) and try to acces it via http://sub.domain.com (no secure http here) Firefox tells you that you are trying to access the server through a secure connection, so you should try https://…
This happens just from inside my subnet, not if I try to access the webserver from anywhere else. So it seems that in this special case ports are taken in the order they appear in the alias and not by the port I actually really want to access.

If this was unclear (and I am pretty sure it is in some way) please tell me and I will try to provide more information. I'm sorry that I can't test it with 2.0 BETA and I hope that this glitch just happens in 1.2.3 and not in the final release of 2.0

jimp

Last I knew, reflection and port aliases didn't work very well. This was before the recent reflection work by Efonne so I don't know if that is still the case.

Reflection in general has been a hack, and using split DNS is the best way to ensure that you access things properly by hostname.

Efonnes

My work has not gone into the main source tree yet, though I think it was almost approved at one point (I think I didn't commit it yet because no one else had tested it, to the best of my knowledge).  The implementation in my source tree does fully support aliases, since it is done in pf instead of redirecting to a port handled by an external program.

I may need to rework it a bit because of some conflicting code that may be making its way into the main source tree.  My code doesn't currently conflict with what is in the main source tree, but I think I'd rather work through the conflicts in my code than make the others work through the conflicts that my code would have with theirs.