[RESOLVED] https through virtual IP

  • Hi,  I'm runing ver 2.0.rc3

    I have created a virtual IP which I wish to handle an https connection.  The https connection to the default wan address is directed to a different internal machine.

    In NAT I have an Inbound rule
    WAN TCP/UDP * * 200.XXX.XXX.163 443 (HTTPS) WebServer *

    200.XXX.XXX.163 is the virtual IP.

    The log show a:
    block Sep 1 19:04:43 LAN 192.168.0.XXX:443 190.XXX.XXX.221:2124 TCP:SA

    and the detail of the block states:
    @1 scrub in on em0 all no-df fragment reassemble
    @1 block drop in log all label "Default deny rule"

    My LAN rules are really relaxed for testing
    Pass * LAN net * * * * none

    I really rather not add a 1:1 rule with the webserver and the virtual IP.

    Can someone give me a clues as to what am I missing because well the connection is not working.


  • Hmmm… I guess this has nothing to do with https as I just tried it with port 80 and same problem, so it must be something with the virtual IP that I don't understand.

  • can you give screenshots and remove your public ip information

  • Sure,
      Here they are.

    My goal is simple.

    I have a two web servers.
    One was dedicated only for http
    The other for https
    But I want to have a second https server
    For testing purposes, I simply set the http server to also serve https.
    Internally it all works just fine.
    I want the second https (the newer one) to be accessible from outside.  So I created the x.x.x.163 ipalias so I could direct the https traffic to that server, while using only one nic that is hooked up to the external router.

    After it didn't work I also created a nat entry for port 80 on that virtual IP to see if it was an SSL issue.  I got the same result, the same block, except that it says port 80 in the log.


  • and the other two that didn't fit in the post.

  • try without destination alias
    how do you have public ip's? are you having continous block or something else?

  • Ok, I changed the entry to replacing the alias with the Ip of the server.

    Same result.

    Yes, it's a block.  (162-165) And I'm reaching the firewall from the outside wold with the .163 because I get the Firewall block entries at the exact time I try to access from the outside world.  The .162 is the regular address.  I used the 163 in the past (hooked up to another physical firewall), I stopped using it for a while, it is possible that the provider changed something, but I doubt it.

    I haven't posted the entry itself in NAT.  Here is the screenshot of that.

  • It's fixed!

    Thank you, when you asked about the block, I kept thinking, so I went and rechecked everything, duhhhh, how stupid of me, the subnet mask was WRONG.


    Thank you!

  • It's ok, but you're showing again your public ip's

  • So I set everything back to how I wanted it originally, and for the record having the destination Alias works fine.

    Thanks for the Public/IP warning.  I'll take it out again.  Thanks.

    Is there a way one can mark threads as "Answered" here?

  • edit your first post subject with [SOLVED]

  • Nevermind, it isn't solved.  Having the same problem again.  I have no clue as to why it started working and after a while it stopped working.

    Any ideas of what else too look for?

  • Well I Fixed it again.

    I think I found a bug.

    Whenever you make and changes to the System Advanced Firewall/NAT window, it changes the IP Alias to Network, rather than the Single address, which of course breaks this.  Uggh…

    Anyways, messing around the screen, I can't remember what the defaults where for this was, can someone remember me which ones should be check?

    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules...:


  • I was wrong, changes in the System Advanced screen do not change the label Network.  The label Network is changed whenever you use anything other than a /32 mask.

    It turns out that it works just fine with the mask /32

    Whenever I re-save the Virtual IP it starts working again.

    But I just noticed something else I got the log entry:
    kernel: arp: 00:1e:58:39:1a:1e is using my IP address 200.XXX.XXX.163 on vr0!

    So I guess the provider did change something and that IP is assigned to something else, that would explain the weird erratic behavior.  The provider was absorbed by another provider, so I think that's the origin of the problem.

    Anyhow, thanks and please do let me know what the defaults are for:
    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules…:

  • @artgug:

    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules…:

    I'm not sure if i have default settings, but working settings: check, check & uncheck

  • Thanks!

Log in to reply