Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All web traffic suddenly being redirected to internal web server

    Scheduled Pinned Locked Moved NAT
    16 Posts 4 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      evp
      last edited by

      Hi I have a pfs 1.2.3 box that has been running for 2 months without a glitch. Today however all our web traffic is being redirected to and served  our internal cpanel webserver. As a result all pages show up with the cpanel/apache default page. Nothing has changed on the box except for adding a block rule to a tawain ip subnet this morning (brute force ssh attempt). I have since removed the firewall rule and still
      no luck.

      Here is my network setup:

      adsl>>>>>modem(192.168.1.1)>>>>PFS-Wan (192.168.1.2)

      PFS-lan  (10.10.11.0/24)

      PFS-OPT2(10.0.0.0/24)>>>>>cpanel www server(10.0.0.116)

      Any ideas on what is going on?

      Is it possible that the attempted hacker was succesfull and modify my box?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I bet you have as "external address" in your NAT rule to forwards traffic to your server "any".
        (It should be the external address and NOT any).

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • E
          evp
          last edited by

          Hi thanks for your help. I'm a little confused on to your suggestion. Can you please elaborate.

          Thanks again

          1 Reply Last reply Reply Quote 0
          • E
            Eugene
            last edited by

            What nat rules do you have? Can you give us an output of```
            pfctl -sn

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              This is quite common with misconfigured NAT rules, see here:

              http://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • E
                evp
                last edited by

                Hi thanks for all your help. I just confirmed that the nat rule for port 80 is correctly configured with external address.

                the print out of pfctl -sn is huge, I don't know how to capture the entire print. I have attached a screen print of my nat page:

                ![FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg](/public/imported_attachments/1/FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg)
                ![FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg_thumb](/public/imported_attachments/1/FireShot capture #009 - 'anfw02_aspironetworks_com - Firewall_ NAT_ Port Forward' - 87_103_14_72_9080_firewall_nat_php.jpg_thumb)

                1 Reply Last reply Reply Quote 0
                • E
                  Eugene
                  last edited by

                  My guess you are having problem with your web-server.

                  http://ru.doc.pfsense.org

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

                    That may also be an issue.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • E
                      Eugene
                      last edited by

                      @jimp:

                      You have two port forwards on the "zon" interface that have an external address of 0.0.0.0 for port 80.

                      That may also be an issue.

                      Could you explain how this might be related to NAT on WAN interface?

                      http://ru.doc.pfsense.org

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        @Eugene:

                        Could you explain how this might be related to NAT on WAN interface?

                        It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • E
                          Eugene
                          last edited by

                          @jimp:

                          @Eugene:

                          Could you explain how this might be related to NAT on WAN interface?

                          It's not related to NAT on WAN, it's related to NAT reflection, which is a big ugly mess and could easily do this. :-)

                          Oh… I did not see anything about nat redirection in initial post and supposed this web-site fails for outside people -)

                          http://ru.doc.pfsense.org

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            He didn't say it, but if you look at the link I posted earlier, it's the #1 cause of this exact issue.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • E
                              evp
                              last edited by

                              Hey guys thanks so much for your help. The zon interface is my wan2 which this moment is down.

                              The webserver is accesabile from outside, and everything else is accessible from lan (ie. email, ping, traceroute), it really only seems to be port 80 that gets redirected to the webserver. What gets me is that system was up for 2 months and never had an issue, until this morning.

                              I also doubled checked the nat rule for port 80 to the webserver and is setup with external address.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                You seem to be missing the real point here. If you have NAT reflection enabled, shut it off.

                                If that fixes the problem, then you still have an incorrectly specified port forward somewhere.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • E
                                  evp
                                  last edited by

                                  Hi thanks again. I shut off nat reflection, and now everything is fine, so obviously than I have a mis-configured port 80 somewhere. Why would this turn up now after 2 months of no problems?

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    It may be related to that second WAN that you said was just shut off, or some other cause. Somehow it's trying to reflect any external address instead of a specific one.

                                    NAT Reflection is evil  :)

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.