Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVED] https through virtual IP

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 2 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      artgug
      last edited by

      Hi,  I'm runing ver 2.0.rc3

      I have created a virtual IP which I wish to handle an https connection.  The https connection to the default wan address is directed to a different internal machine.

      In NAT I have an Inbound rule
      WAN TCP/UDP * * 200.XXX.XXX.163 443 (HTTPS) WebServer *

      200.XXX.XXX.163 is the virtual IP.

      The log show a:
      block Sep 1 19:04:43 LAN 192.168.0.XXX:443 190.XXX.XXX.221:2124 TCP:SA

      and the detail of the block states:
      @1 scrub in on em0 all no-df fragment reassemble
      @1 block drop in log all label "Default deny rule"

      My LAN rules are really relaxed for testing
      Pass * LAN net * * * * none

      I really rather not add a 1:1 rule with the webserver and the virtual IP.

      Can someone give me a clues as to what am I missing because well the connection is not working.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • A
        artgug
        last edited by

        Hmmm… I guess this has nothing to do with https as I just tried it with port 80 and same problem, so it must be something with the virtual IP that I don't understand.

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by

          can you give screenshots and remove your public ip information

          1 Reply Last reply Reply Quote 0
          • A
            artgug
            last edited by

            Sure,
              Here they are.

            My goal is simple.

            I have a two web servers.
            One was dedicated only for http
            The other for https
            But I want to have a second https server
            For testing purposes, I simply set the http server to also serve https.
            Internally it all works just fine.
            I want the second https (the newer one) to be accessible from outside.  So I created the x.x.x.163 ipalias so I could direct the https traffic to that server, while using only one nic that is hooked up to the external router.

            After it didn't work I also created a nat entry for port 80 on that virtual IP to see if it was an SSL issue.  I got the same result, the same block, except that it says port 80 in the log.

            Thanks,

            pfsense-1.jpg
            pfsense-1.jpg_thumb
            pfsense-4.jpg
            pfsense-4.jpg_thumb
            pfsense-5.jpg
            pfsense-5.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • A
              artgug
              last edited by

              and the other two that didn't fit in the post.

              pfsense-2.jpg
              pfsense-2.jpg_thumb
              pfsense-3.jpg
              pfsense-3.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi
                last edited by

                try without destination alias
                how do you have public ip's? are you having continous block or something else?

                1 Reply Last reply Reply Quote 0
                • A
                  artgug
                  last edited by

                  Ok, I changed the entry to replacing the alias with the Ip of the server.

                  Same result.

                  Yes, it's a block.  (162-165) And I'm reaching the firewall from the outside wold with the .163 because I get the Firewall block entries at the exact time I try to access from the outside world.  The .162 is the regular address.  I used the 163 in the past (hooked up to another physical firewall), I stopped using it for a while, it is possible that the provider changed something, but I doubt it.

                  I haven't posted the entry itself in NAT.  Here is the screenshot of that.

                  pfsense-6.jpg_thumb
                  pfsense-6.jpg

                  1 Reply Last reply Reply Quote 0
                  • A
                    artgug
                    last edited by

                    It's fixed!

                    Thank you, when you asked about the block, I kept thinking, so I went and rechecked everything, duhhhh, how stupid of me, the subnet mask was WRONG.

                    Geez,

                    Thank you!

                    1 Reply Last reply Reply Quote 0
                    • M
                      Metu69salemi
                      last edited by

                      It's ok, but you're showing again your public ip's

                      1 Reply Last reply Reply Quote 0
                      • A
                        artgug
                        last edited by

                        So I set everything back to how I wanted it originally, and for the record having the destination Alias works fine.

                        Thanks for the Public/IP warning.  I'll take it out again.  Thanks.

                        Is there a way one can mark threads as "Answered" here?

                        1 Reply Last reply Reply Quote 0
                        • M
                          Metu69salemi
                          last edited by

                          edit your first post subject with [SOLVED]

                          1 Reply Last reply Reply Quote 0
                          • A
                            artgug
                            last edited by

                            Nevermind, it isn't solved.  Having the same problem again.  I have no clue as to why it started working and after a while it stopped working.

                            Any ideas of what else too look for?

                            1 Reply Last reply Reply Quote 0
                            • A
                              artgug
                              last edited by

                              Well I Fixed it again.

                              I think I found a bug.

                              Whenever you make and changes to the System Advanced Firewall/NAT window, it changes the IP Alias to Network, rather than the Single address, which of course breaks this.  Uggh…

                              Anyways, messing around the screen, I can't remember what the defaults where for this was, can someone remember me which ones should be check?

                              Disable NAT Reflection for port forwards:
                              Disable NAT Reflection for 1:1 NAT :
                              Automatically create outbound NAT rules...:

                              Thanks,

                              1 Reply Last reply Reply Quote 0
                              • A
                                artgug
                                last edited by

                                I was wrong, changes in the System Advanced screen do not change the label Network.  The label Network is changed whenever you use anything other than a /32 mask.

                                It turns out that it works just fine with the mask /32

                                Whenever I re-save the Virtual IP it starts working again.

                                But I just noticed something else I got the log entry:
                                kernel: arp: 00:1e:58:39:1a:1e is using my IP address 200.XXX.XXX.163 on vr0!

                                So I guess the provider did change something and that IP is assigned to something else, that would explain the weird erratic behavior.  The provider was absorbed by another provider, so I think that's the origin of the problem.

                                Anyhow, thanks and please do let me know what the defaults are for:
                                Disable NAT Reflection for port forwards:
                                Disable NAT Reflection for 1:1 NAT :
                                Automatically create outbound NAT rules…:

                                1 Reply Last reply Reply Quote 0
                                • M
                                  Metu69salemi
                                  last edited by

                                  @artgug:

                                  Disable NAT Reflection for port forwards:
                                  Disable NAT Reflection for 1:1 NAT :
                                  Automatically create outbound NAT rules…:

                                  I'm not sure if i have default settings, but working settings: check, check & uncheck

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    artgug
                                    last edited by

                                    Thanks!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.