Port forward to internal Webserver blocked.



  • Hello. I am new here.

    Our MIG/PROXY equipment is supplied by our ISP and I was given root access to the webGUI to configure as I need. Users/mail/etc.
    (They seem to use some custom theme? version of m0n0wall or PFSense, I think.)

    Our MIG is on a static public IP (41.xx.xxx.xx). From inside I can access the GUI on 10.0.0.1 and the Gateway being 10.0.0.2.
    From the outside(internet), I can access the webGUI on the external IP (41.xx.xxx.xx).

    –--------

    I have setup an Apache webserver on an internal Windows PC at 10.0.0.22 and port 8800.
    (No software firewall on this pc)

    Accessing the Apache webserver on the LAN (ie. internally) on 10.0.0.22:8800 works as expected.

    I am trying to access the webserver from another computer OUTSIDE the LAN (ie. from the Internet) as follow:

    Internet -> Ext IP of our MIG (41.xxx.xx.xxx:8800) -> Internal webserver on 10.0.0.22:8800
    http://canyouseeme.org/ says that port 8800 is closed (connection refused).

    I have setup NAT PortForward and FW-rule as follow:

    http://i.imgur.com/rEpBl.jpg
    http://i.imgur.com/QbR9v.jpg

    I am clearly missing something, or I don't know much about this stuff, but I'm trying my best here.
    Either way, I have to start somewhere and would appreciate any help.

    Thank you kindly.
    Jamie.



  • Those rules looks like they should work. Is the gateway of the Apache system setup with 10.0.0.2? It seems like the gateway should be 10.0.0.1 since it is the same as the GUI config.



  • Hi, thank you for the response.

    I am still struggling with this issue.

    (FYI: when I test the port forward externally - Yes I do test it from a completely separate network- eg. from home)

    QUESTION: Is it possible that port 8800 (and others) are BLOCKED on the CISCO ROUTER ? (see below)

    Our setup is as follow:

    ISP/ADSL –> CISCO800 ROUTER --> PROXYSERVER(PFSENSE HERE?) --> SWITCH --> LAN

    From outside the LAN the EXTERNAL STATIC IP 41.xxx.xx.xx:80 goes to WEBgui for pfsense.
    Or internally, IP 10.0.0.1 goes to WEBgui.

    The NAT rule works internally, ie. Apache listens on 8800 on ip 10.0.0.22. Any LAN pc connects to it no problem.

    TCP/IP for all LAN pc's (including the Apache machine) is as follow:

    Static IP 10.0.0.10  / 10.0.0.11 / etc.
    Subnet 255.255.255.0
    Gateway 10.0.0.2

    Remember that for outside the network port 80 goes to the webgui.

    Even though the port forward and FW rule for port 8800 is setup correctly in pfsense...
    ...is it possible that port 8800 (and others) are BLOCKED on the CISCO ROUTER ?

    Any response is helpful.
    Thank you very much.
    Jamie.



  • What is on 10.0.0.2? If 10.0.0.1 goes to the web GUI, then that should be your firewall and also your gateway. If that is a proxy server, what is its gateway? Ideally if you are going to open port 80 to the WAN address, you will want to move webgui off port 80 and move it to 8080 (or similiar). There is by default a redirector that redirects 80 to 443 if that option is not disabled manually. This is also why you move it off port 80.
    If the router is just a router, then it should block nothing. If you have had to use it as a FW in the past (with access rules), then some of those rules might still be lingering in there.



  • Hi podilarius, thanks again for your reply.

    I looked into this some more and found the following.

    10.0.0.2 is the Cisco Router (installed and configured by ISP)

    10.0.0.1 is the pfsense PROXY/FIREWALL (installed and configured by ISP) but I was given root access to configure as I wish - since we pay them big time for the equipment.

    10.0.0.3 /4 /5 etc = LAN

    (Let's forget about the WEBgui on https(443) for a moment - yes I can, and I am planning to change it to https)

    For now, my issue is with the blocked ports.

    For testing, I shutdown the Apache(10.0.0.22) machine.

    I then changed the 10.0.0.1 WEBgui port to 8800 (also tried 8080 and others).

    From within the LAN I can get into 10.0.0.1:8800 no problem.

    But from outside the LAN (from home) I can NOT get into external ip (41.xx.xxx.xx:8800).

    So I'm thinking that all "non-standard" ports are blocked on the router(10.0.0.2) - maybe as a security feature.
    If this is the case, then NAT/FW rules on 10.0.0.1 will have no effect, correct?

    I DO NOT have access to configure the Cisco Router (10.0.0.2).

    Do you think the following scenario will work ?

    1. Configure Apache on 10.0.0.22 to listen on port 80 (since we know port 80 is open from the outside).
    2. Change WEBgui 10.0.0.1 to https(443). From outside I'll get in via https://41.xx.xxx.xx - correct ?

    FYI: The Apache server is not going to be a long term production type setup. At the moment I simply use it to develop and host a Web Application - but I have people from outside our company that need to 'have a look' every now and then in order to comment on it.

    Have a good day.
    Jamie.



  • If these are your actual IPs, then you have a fundamental networking problem. If LAN is 10.0.0.0/24 and the same is used for WAN, then inbound connection will not make it to computers on the LAN, unless there is a bridge involved (which I don't think you mentioned one). If you are using as a proxy only, then your setup is fine, just go an turn off the firewalling. Set your gateway to 10.0.0.2 and then in the browser setup, change the proxy values to 10.0.0.1 port 3128. The subject of the thread suggest that you are using pfsense to limit access and not as a proxy so I would imagine that network is incorrectly configured with the information you have provided.



  • Okay then, how about this config :

    EXTERNAL IP(s) from ISP = STATIC
    41.xx.xxx.7x
    41.xx.xxx.7y
    41.xx.xxx.7z

    INTERNET > ADSL ROUTER (CISCO 800 series)
    –-----------------------------------------
    Internal IP for router = 10.0.0.2  (Gateway?)

    MANAGED INTERNET GATEWAY (PROXY SERVER/FIREWALL)

    Internal IP 10.0.0.1 (webgui is here)

    LAN : (reconfigured)

    In the Webgui...
    WAN IP = 10.0.0.1
    LAN IP = 192.168.0.1
    GATEWAY = 192.168.0.2 port 3128

    LAN = 192.168.0.3/4/5/6/etc
    LAN PC BROWSER CONFIG = GATEWAY 192.168.0.2 port 3128
    (Internet access works perfect)


    LAN PC with APACHE = 192.168.0.22
    APACHE CONFIG : Listen  192.168.0.22:8800


    10.0.0.1 config...

    NAT RULE 192.168.0.22 PORT 8800
    FWALL ALLOW 192.68.0.22 PORT 8800 (auto from NAT)


    Internal(LAN) access to Apache 192.168.0.22:8800 - no problem /  works perfect.

    External access to 41.xx.xxx.xx:8800 (to be forwarded to 192.168.0.22) NOT working.


    Thank you for showing interest in my little dilemma.

    Jamie.



  • You are not going to forward directly to 192.168.0.22 from the cisco. You have double NAT, so you are going to have to make sure you adjust for that.
    So, create a VIP on WAN and set it to 10.0.0.22.
    In the port forward rule, source and source port is any.
    Destination IP is going to be the VIP (10.0.0.22). DPORT will be 8800.
    Then you set the NAT ip to 192.168.0.22 on port 8800.
    I am not sure how you have a gateway with a port. LAN does not usually have a gateway set at all in pfSense. But for your LAN PCs, 192.168.0.2 is a good gateway so long as the PC at that address has a default gateway of 192.168.0.1. Since that just looks like a proxy, and not even a transparent one, I would set the gateway of all the machines except pfSense (which will only have a gateway on WAN address) to 192.168.0.1 and use browser configs to set the proper proxy address.


Locked