Lan access to Https port forward if ssl cert requires gate.domain.com?



  • Is there any way to cause pfsense to forward incoming traffic on its lan port to a given tcp port natted  back out the lan port to an address on the lan subnet, same port?

    It isn't really necessary to read all the rest of this, it just explains why I care.

    Let's call 'server' a system on the lan that runs apache and serves ssl protected websites.  Let's call 'gate' a vanilla little pfsense box that uses https:443 to access the web configurator on the lan side, with one lan address.  On the wan side, several virtual IP's, along with a dedicated wan interface address.  Each virtual IP address has its own public dns entry on the wan and gets HTTPS port forwarded onto a different port on the server on the LAN.  'gate' has an entry in the dhcp table for the lan, and the dns forwarder in pfsense uses the dhcp entries.  'gate' out on the wan has its dns point to the interface address on the public internet because 'gate' is running postfix forwarder smtp mail exchanger.

    So, fairly typical so far.  As you expect, https://gate.domain.com inside the lan gets the pfsense configurator, from the wan side the same address get NAT gets port forwarded to some unassigned tcp port on server, let's say 920, and serves up an https tls website.

    How can someone inside the lan see what the public sees on the wan side?  Simple I thought.

    https://gate.domain.com  gets the pfsense configurator.
    https://gate.comain.com:920 gets port forwarded to the same port on the server where the public gets its website served when it puts in the same address.

    I put in the nat rule on the lan to port forward tcp 920 to server at 920, the lan already has a permit all rule from lan sources to lan destinations, and… no traffic.

    Already clicked the box to allow reflections so accessing the forwarded virtual ips from within the lan works.  The real problem comes in as the ssl certificate on the gate site running on the server demands an address of gate.domain.com, not server.domain.com or variants.  I'd like to avoid all the 'allow exceptions' 'this is untrusted' and so forth.  I want folks inside the lan to have the same experience as those outside other than having to add the :920 to distinguish the pfsense configurator from the external site.

    Any ideas?  Thanks!   Harry



  • yes it's possible via a port forward entry on LAN to redirect the traffic, you'll also need manual outbound NAT configured to change the source IP to the firewall's IP on that interface to force the reply traffic back so it can be translated back.


Log in to reply