Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HTTPS Breaks when upgrading from 1.2.2 to 1.2.3

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bgbearcatfan
      last edited by

      I am experiencing issues related to either a firewall NAT problem or Rules problem.

      I have a firewall nat/rule setup to allow https (443) through to an internal ip address (10.1.1.22).

      When i set this rule up on pfsense version 1.2.2 it works great.  As soon as i upgrade to 1.2.3 the rule breaks.  I have tried blowing away the rule and recreating it again with no success.

      There is nothing listed in the firewall logs or system logs.  I am stumped…

      Any ideas?

      /Brian
      /2.0.1-RELEASE
      built on Mon Dec 12 18:24:17 EST 2011

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I've not seen anything like that happen before, personally.

        Can you post exactly what you have configured for the NAT rule, Firewall rule, NAT reflection, and any packages you may have installed?

        Have you tried to use tcpdump or packet captures to verify how the traffic is entering/leaving the router?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bgbearcatfan
          last edited by

          Thanks for your reply.

          I just tried, for kicks and giggles, to upgrade to the 2.0-BETA2 version and still have the same problem.  So i immediately downgraded back to 1.2.2 and it started working again.

          I have not installed any packages on any of these tests i have performed.

          I will post the NAT/Firewall rules hopefully within the next hour, and will run a packet capture as well.

          /Brian
          /2.0.1-RELEASE
          built on Mon Dec 12 18:24:17 EST 2011

          1 Reply Last reply Reply Quote 0
          • B
            bgbearcatfan
            last edited by

            PACKET CAPTURE:

            14:08:16.938370 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0
            14:08:19.937530 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0
            14:08:25.940409 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0

            FIREWALL NAT:

            if              proto             ext. port range             nat ip             int. port range
            WAN         TCP               443 (HTTPS)                10.1.1.23        443 (HTTPS)

            FIREWALL RULE:

            proto         source           port             destination           port                   gateway
            TCP           *                  *                10.1.1.23             443 (HTTPS)        *

            /Brian
            /2.0.1-RELEASE
            built on Mon Dec 12 18:24:17 EST 2011

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Some things for the next time you try:

              If you set that firewall rule to log, does it show up?

              If you do a packet capture on LAN, do you see the traffic leaving?

              Check the output of "pfctl -sn" for that rule before and after upgrade.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • B
                bgbearcatfan
                last edited by

                Setting the rule to log does not display anything in the firewall logs, which is why I'm so confused…. Doesn't look like pfsense is blocking anything?

                If i do a packet capture on lan for that port, i get nothing,

                I will run the pfctl command before and after and let ya know.

                Thanks again

                edit

                If i enable logging for stand http (port 80) traffic i am getting green allows for port 80 on that ip address.

                /Brian
                /2.0.1-RELEASE
                built on Mon Dec 12 18:24:17 EST 2011

                1 Reply Last reply Reply Quote 0
                • B
                  bgbearcatfan
                  last edited by

                  Just to give you an update….

                  I did one last clean install with the latest version of pfsense... Recreated all my rules and settings, and this time it worked... I have absolutely NO idea what is going on, but it's working now, so i wont fix what's not broken...

                  Thanks for your time man, much appreciated

                  /Brian
                  /2.0.1-RELEASE
                  built on Mon Dec 12 18:24:17 EST 2011

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.