NAT and My Webserver



  • Hello,

    I've opened up port 80 and forwarded the traffic to my web server that I've setup, however, I cannot view my website when I'm inside my local network.

    If I'm at work or the library, or a buddy's house, I can view a website that I'm hosting just fine. You can see for yourself, the following link is to a small site that I'm building for a class I'm taking: http://dicksdogs.does-it.net .

    I have a NAT rule that allows for any source (both address and ports) that is destined for my WAN Address (dest. port 80) to route traffic to my web server.

    On the LAN side of my firewall, I've set a rule that just allows for everything from anything on any port.

    Does anyone have any ideas on this?

    Thanks in advance



  • You need to enable NAT reflection or use a splitbrain DNS to access while you are in the same network as the webserver. Personally I like the split brain DNS. You can setup the DNS proxy within pfSense to do that for you.



  • @podilarius:

    You need to enable NAT reflection or use a splitbrain DNS to access while you are in the same network as the webserver. Personally I like the split brain DNS. You can setup the DNS proxy within pfSense to do that for you.

    Dang, so simple that I almost feel silly. Thanks so much for the response! I went ahead and changed the NAT reflection to enabled instead of System Default and all works great!  ;D



  • I'm having issues forwarding 80 on the outside to my internal webserver in general.  All my other port forwards are working just fine.

    I set the management listener port to a high port in the 55k's and can hit it without issue externally.  I've also disabled the redirector rule.  But for the life of me, port 80 just won't forward.  Any clues?  Wonder if I'm missing something dumb. ???



  • @BeerHat:

    I'm having issues forwarding 80 on the outside to my internal webserver in general.  All my other port forwards are working just fine.

    I set the management listener port to a high port in the 55k's and can hit it without issue externally.  I've also disabled the redirector rule.  But for the life of me, port 80 just won't forward.  Any clues?  Wonder if I'm missing something dumb. ???

    What do you see when you try to hit port 80? Error 404 or firewall management login?



  • @Metu69salemi:

    @BeerHat:

    I'm having issues forwarding 80 on the outside to my internal webserver in general.  All my other port forwards are working just fine.

    I set the management listener port to a high port in the 55k's and can hit it without issue externally.  I've also disabled the redirector rule.  But for the life of me, port 80 just won't forward.  Any clues?  Wonder if I'm missing something dumb. ???

    What do you see when you try to hit port 80? Error 404 or firewall management login?

    It's not listening on Port 80 internally or externally.  Just times out.  Management page only answers on the high-port I designated – which is fine.  NAT Port fwd and rules are identical to that of other ones that are working perfect.. just can't redirect outside port 80 to my internal web server.



  • Is your portforwarding rule something like this:

    
    disabled: unchecked
    No RDR: unchecked
    Interface: WAN
    Protocol: TCP
    Source: any
    Source port: any
    Destination: your public ip( usually wan ip)
    Destination port: 80
    Redirect target ip: your webserver ip
    Redirect target port: untouched
    Description: something you want to write
    No xmlrpc sync: unchecked
    NAT reflection: Use system default
    Filter rule association: Create new associated rule <-- here it might read something else, if you already created this rule
    
    


  • @Metu69salemi:

    Is your portforwarding rule something like this:

    
    disabled: unchecked
    No RDR: unchecked
    Interface: WAN
    Protocol: TCP
    Source: any
    Source port: any
    Destination: your public ip( usually wan ip)
    Destination port: 80
    Redirect target ip: your webserver ip
    Redirect target port: untouched
    Description: something you want to write
    No xmlrpc sync: unchecked
    NAT reflection: Use system default
    Filter rule association: Create new associated rule <-- here it might read something else, if you already created this rule
    
    

    Yep.  exactly.



  • Try to make port redirection. from (destination)port 12800 to (redirect)port 80

    if this works, then your isp is blocking port 80



  • @Metu69salemi:

    Try to make port redirection. from (destination)port 12800 to (redirect)port 80

    if this works, then your isp is blocking port 80

    ISP is not blocking port 80.  This was working just fine with my previous Fortigate 60 router i just replaced.



  • @Metu69salemi:

    Try to make port redirection. from (destination)port 12800 to (redirect)port 80

    if this works, then your isp is blocking port 80

    FWIW I can tweak the exact same port forward rule to 81 and it works perf.  Just not 80.  I read someone's thread a few weeks ago where they said something like creating the port forward AFTER setting an alternate connect port for webconfigurator somehow made a difference.  I smell a bug, somewhere.



  • Might be bug, but i haven't encounter even a single one with pfsense.. If change your rule again port 80, what it says then? or delete that rule fully and created it again



  • @Metu69salemi:

    Might be bug, but i haven't encounter even a single one with pfsense.. If change your rule again port 80, what it says then? or delete that rule fully and created it again

    I can toggle the port number till my heart's content… still no change.  It doesn't really 'say' anything, it looks like a correctly configured rule.  But, it just fails to work.



  • I have created all of my NAT Port forwarding rules and any request on an external network to my webservers etc works without issue.  I too am having the problem of navigating to my webserver etc when on my LAN network.  I have unchecked the the "Disable NAT Reflection" thus enabling it.

    Will I have to recreate my NAT port forwarding rules now?  The reason I'm asking this is because I guess I'm not clear on the "Disables the automatic creation of NAT redirect rules for access to your public IP address from within your internal networks" line.  Now that I have essentially ENABLED the automatic creation of NAT redirect rules for access to my public UP address from within my internal network, will I need to recreate my port forwarding?

    I have no 1:1 NAT configured, if that makes a difference.

    Thank you.



  • Did you check the "Disable webConfigurator redirect rule" in the System => Advanced => Admin access  ?



  • balance or nat will not work on same interface, you will need a reverse proxy package or an outbound nat to change source ip going to web servers.

    visual example:
    192.168.1.20 - client
    192.168.1.200 - firewall
    192.168.1.10 - web server

    192.168.1.20 asks 192.168.1.200 for a page

    192.168.1.20  forwards to 192.168.1.10

    192.168.1.10 see that client(192.168.1.20) is on same network

    192.168.1.10 returns page directly to 192.168.1.20

    192.168.1.20 rejects this communication as he asked 192.168.1.200 for a page and response came from 192.168.1.10

    To workaround this without any package or nat, you need to edit internal dns to answer website name to its server ip.


Locked