HTTPS Breaks when upgrading from 1.2.2 to 1.2.3



  • I am experiencing issues related to either a firewall NAT problem or Rules problem.

    I have a firewall nat/rule setup to allow https (443) through to an internal ip address (10.1.1.22).

    When i set this rule up on pfsense version 1.2.2 it works great.  As soon as i upgrade to 1.2.3 the rule breaks.  I have tried blowing away the rule and recreating it again with no success.

    There is nothing listed in the firewall logs or system logs.  I am stumped…

    Any ideas?


  • Rebel Alliance Developer Netgate

    I've not seen anything like that happen before, personally.

    Can you post exactly what you have configured for the NAT rule, Firewall rule, NAT reflection, and any packages you may have installed?

    Have you tried to use tcpdump or packet captures to verify how the traffic is entering/leaving the router?



  • Thanks for your reply.

    I just tried, for kicks and giggles, to upgrade to the 2.0-BETA2 version and still have the same problem.  So i immediately downgraded back to 1.2.2 and it started working again.

    I have not installed any packages on any of these tests i have performed.

    I will post the NAT/Firewall rules hopefully within the next hour, and will run a packet capture as well.



  • PACKET CAPTURE:

    14:08:16.938370 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0
    14:08:19.937530 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0
    14:08:25.940409 ip (ipaddressconnectingfrom).57550 > (ipaddressconnectingto).443 tcp 0

    FIREWALL NAT:

    if              proto             ext. port range             nat ip             int. port range
    WAN         TCP               443 (HTTPS)                10.1.1.23        443 (HTTPS)

    FIREWALL RULE:

    proto         source           port             destination           port                   gateway
    TCP           *                  *                10.1.1.23             443 (HTTPS)        *


  • Rebel Alliance Developer Netgate

    Some things for the next time you try:

    If you set that firewall rule to log, does it show up?

    If you do a packet capture on LAN, do you see the traffic leaving?

    Check the output of "pfctl -sn" for that rule before and after upgrade.



  • Setting the rule to log does not display anything in the firewall logs, which is why I'm so confused…. Doesn't look like pfsense is blocking anything?

    If i do a packet capture on lan for that port, i get nothing,

    I will run the pfctl command before and after and let ya know.

    Thanks again

    edit

    If i enable logging for stand http (port 80) traffic i am getting green allows for port 80 on that ip address.



  • Just to give you an update….

    I did one last clean install with the latest version of pfsense... Recreated all my rules and settings, and this time it worked... I have absolutely NO idea what is going on, but it's working now, so i wont fix what's not broken...

    Thanks for your time man, much appreciated


Log in to reply