All web traffic suddenly being redirected to internal web server



  • Hi I have a pfs 1.2.3 box that has been running for 2 months without a glitch. Today however all our web traffic is being redirected to and served  our internal cpanel webserver. As a result all pages show up with the cpanel/apache default page. Nothing has changed on the box except for adding a block rule to a tawain ip subnet this morning (brute force ssh attempt). I have since removed the firewall rule and still
    no luck.

    Here is my network setup:

    adsl>>>>>modem(192.168.1.1)>>>>PFS-Wan (192.168.1.2)

    PFS-lan  (10.10.11.0/24)

    PFS-OPT2(10.0.0.0/24)>>>>>cpanel www server(10.0.0.116)

    Any ideas on what is going on?

    Is it possible that the attempted hacker was succesfull and modify my box?



  • I bet you have as "external address" in your NAT rule to forwards traffic to your server "any".
    (It should be the external address and NOT any).



  • Hi thanks for your help. I'm a little confused on to your suggestion. Can you please elaborate.

    Thanks again



  • What nat rules do you have? Can you give us an output of```
    pfctl -sn


  • Rebel Alliance Developer Netgate

    This is quite common with misconfigured NAT rules, see here:

    http://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F



  • Hi thanks for all your help. I just confirmed that the nat rule for port 80 is correctly configured with external address.

    the print out of pfctl -sn is huge, I don't know how to capture the entire print. I have attached a screen print of my nat page:

    ![FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg](/public/imported_attachments/1/FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg)
    ![FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg_thumb](/public/imported_attachments/1/FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg_thumb)



  • My guess you are having problem with your web-server.


  • Rebel Alliance Developer Netgate

    You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

    That may also be an issue.



  • @jimp:

    You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

    That may also be an issue.

    Could you explain how this might be related to NAT on WAN interface?


  • Rebel Alliance Developer Netgate

    @Eugene:

    Could you explain how this might be related to NAT on WAN interface?

    It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)



  • @jimp:

    @Eugene:

    Could you explain how this might be related to NAT on WAN interface?

    It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)

    Oh… I did not see anything about nat redirection in initial post and supposed this web-site fails for outside people -)


  • Rebel Alliance Developer Netgate

    He didn't say it, but if you look at the link I posted earlier, it's the #1 cause of this exact issue.



  • Hey guys thanks so much for your help. The zon interface is my wan2 which this moment is down.

    The webserver is accesabile from outside, and everything else is accessible from lan (ie. email, ping, traceroute), it really only seems to be port 80 that gets redirected to the webserver. What gets me is that system was up for 2 months and never had an issue, until this morning.

    I also doubled checked the nat rule for port 80 to the webserver and is setup with external address.


  • Rebel Alliance Developer Netgate

    You seem to be missing the real point here. If you have NAT reflection enabled, shut it off.

    If that fixes the problem, then you still have an incorrectly specified port forward somewhere.



  • Hi thanks again. I shut off nat reflection, and now everything is fine, so obviously than I have a mis-configured port 80 somewhere. Why would this turn up now after 2 months of no problems?


  • Rebel Alliance Developer Netgate

    It may be related to that second WAN that you said was just shut off, or some other cause. Somehow it's trying to reflect any external address instead of a specific one.

    NAT Reflection is evil  :)


Locked