Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aliases in Port forward - just a question

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    3 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joergherzinger
      last edited by

      I am currently switching from a ZyXel Firewall to pfSense (1.2.3) and found a little glitch that I wanted to tell you about so that it won't exist in the 2.0 release.
      When adding a port forward rule for NAT  with an alias on the ports it seems that a stange port precedence is done. If I do have an alias for WebPorts with ports 80 and 443 (in that order) and I want to access my webserver through its domain name https://sub.domain.com (no split DNS but NAT reflection) from behind my firewall (same subnet as my webserver) Firefox throws out an ssl error. If you change the order of the ports in the alias (443 first, then 80) and try to acces it via http://sub.domain.com (no secure http here) Firefox tells you that you are trying to access the server through a secure connection, so you should try https://…
      This happens just from inside my subnet, not if I try to access the webserver from anywhere else. So it seems that in this special case ports are taken in the order they appear in the alias and not by the port I actually really want to access.

      If this was unclear (and I am pretty sure it is in some way) please tell me and I will try to provide more information. I'm sorry that I can't test it with 2.0 BETA and I hope that this glitch just happens in 1.2.3 and not in the final release of 2.0

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Last I knew, reflection and port aliases didn't work very well. This was before the recent reflection work by Efonne so I don't know if that is still the case.

        Reflection in general has been a hack, and using split DNS is the best way to ensure that you access things properly by hostname.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          Efonnes
          last edited by

          My work has not gone into the main source tree yet, though I think it was almost approved at one point (I think I didn't commit it yet because no one else had tested it, to the best of my knowledge).  The implementation in my source tree does fully support aliases, since it is done in pf instead of redirecting to a port handled by an external program.

          I may need to rework it a bit because of some conflicting code that may be making its way into the main source tree.  My code doesn't currently conflict with what is in the main source tree, but I think I'd rather work through the conflicts in my code than make the others work through the conflicts that my code would have with theirs.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.