Impossible to access my internal webserver that have the same IP aspfsense.



  • Current version: 2.0-RC2
          Built On: Thu Jun  9 19:52:30 EDT 2011

    dnsserver on internet giving my domain ip ex. 123.123.123.123

    pfsense 10.0.0.1  (external-ip 123.123.123.123)
    Webserver 10.0.0.10
    client 10.0.0.50 (useing 10.0.0.1 as gateway and dns)

    (I have rules for nat and firewall to forward port 80 to 10.0.0.10

    When client try to goto 123.123.123.123 it get directed to 10.0.0.1 and the port 10000 that I have picked for pfsense.

    I tried to change all these settings for ever but nothing works,  always get redirected to pfsense. (only going to my internal websites using IP address works)

    Please help.
    –-------------------------------------------------------------------
    WebGUI redirect

    Disable webConfigurator redirect rule
    When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.

    WebGUI Login Autocomplete

    Disable webConfigurator login autocomplete
    When this is unchecked, login credentials for the webConfigurator may be saved by the browser. While convenient, some security standards require this to be disabled. Check this box to disable autocomplete on the login form so that browsers will not prompt to save credentials (NOTE: Some browsers do not respect this option).

    WebGUI login messages

    Disable logging of webConfigurator successful logins
    When this is checked, successful logins to the webConfigurator will not be logged.

    Anti-lockout

    Disable webConfigurator anti-lockout rule
    When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure you have a firewall rule in place that allows you in, or you will lock yourself out!) Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.

    DNS Rebind Check

    Disable DNS Rebinding Checks
    When this is unchecked, your system is protected against DNS Rebinding attacks. This blocks private IP responses from your configured DNS servers. Check this box to disable this protection if it interferes with webConfigurator access or name resolution in your environment.

    Alternate Hostnames

    Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks
    Here you can specify alternate hostnames by which the router may be queried, to bypass the DNS Rebinding Attack checks. Separate hostnames with spaces.

    Browser HTTP_REFERER enforcement

    Disable HTTP_REFERER enforcement check
    When this is unchecked, access to the webConfigurator is protected against HTTP_REFERER redirection attempts. Check this box to disable this protection if you find that it interferes with webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from Wikipedia.



  • That's the expected behavior if you aren't using reflection.



  • This is from the help:

    If you have an improperly specified NAT Port Forward, it can cause problems when NAT Reflection is enabled.
    The most common way this problem arises is when you have a local web server, and port 80 is forwarded there. When NAT Reflection is enabled, any connection you make comes up as your own web site.

    To fix this, edit your NAT Port Forward for the offending port, and change "External Address" to "Interface Address" instead of "any".
    If you really require an external address of "any", then NAT Reflection will not work for you, and you'll need to employ Split DNS instead.

    When I look at my NAT Port forward I don't even have anything called External Address !
    I do have something called Destination and there I got Type: WAN address

    I even tried to disable NAT reflection for that rule but nothing changes.

    Iam stuck.


  • Netgate Administrator

    Generally speaking you simply need to enable NAT reflection if you want to access you internal servers by their external IP or URL.
    Go to System -> Advanced -> Firewall/NAT and uncheck the 'Disable NAT Reflection for port forwards' box.

    By the way are you just mocking us with your 1Gb FTTH!?  ;)

    Steve



  • "System -> Advanced -> Firewall/NAT and uncheck the 'Disable NAT Reflection for port forwards' box."

    It was allready unchecked.

    "you simply need to enable NAT reflection if you want to access you internal servers by their external IP or URL"

    I now enabled that under my port forward rule, still not working.

    Still can't access my webservers from inside using url, dunno what todo now.


  • Netgate Administrator

    So you are just getting the pfSense web interface instead?

    Can you access your server from outside your network?

    Could you post your firewall and port forward rules.

    Steve



  • Yes it is possible to see my webpages from outside and from inside I always get the pfsense login page.

    NAT:

    • <destination><network>wanip</network>
      <port>80</port></destination>
      <protocol>tcp</protocol>
      <target>10.0.0.13</target>
      <local-port>80</local-port>
      <interface>wan</interface>
      <descr><associated-rule-id>nat_4df69530c18858.35806452</associated-rule-id> <natreflection>enable</natreflection>
      <advancedoutbound>FW:
    • <rule>-
      <source> <any>
      <interface>wan</interface>
      <protocol>tcp</protocol> -
      <destination><address>10.0.0.13</address>

    <port>80</port></destination>
    -<associated-rule-id>nat_4df69530c18858.35806452</associated-rule-id></any></rule></advancedoutbound></descr>


  • Netgate Administrator

    Hmmm,
    Well I would have said that as long as you have NAT reflection enabled on the port forward rule AND 'WebGUI redirect' disabled in system -> advanced then this should work.  :-\

    My previous comment about enabling NAT reflection was based on my experience with 1.2.3. I hadn't realised you can now enable it on each port forward individually.

    Steve



  • I just updated firmware hoping it would solve anything but it dident.

    Hope someone else know what's wrong with the NAT reflection


Locked