Port forward to internal Webserver blocked.

  • Hello. I am new here.

    Our MIG/PROXY equipment is supplied by our ISP and I was given root access to the webGUI to configure as I need. Users/mail/etc.
    (They seem to use some custom theme? version of m0n0wall or PFSense, I think.)

    Our MIG is on a static public IP (41.xx.xxx.xx). From inside I can access the GUI on and the Gateway being
    From the outside(internet), I can access the webGUI on the external IP (41.xx.xxx.xx).


    I have setup an Apache webserver on an internal Windows PC at and port 8800.
    (No software firewall on this pc)

    Accessing the Apache webserver on the LAN (ie. internally) on works as expected.

    I am trying to access the webserver from another computer OUTSIDE the LAN (ie. from the Internet) as follow:

    Internet -> Ext IP of our MIG (41.xxx.xx.xxx:8800) -> Internal webserver on
    http://canyouseeme.org/ says that port 8800 is closed (connection refused).

    I have setup NAT PortForward and FW-rule as follow:


    I am clearly missing something, or I don't know much about this stuff, but I'm trying my best here.
    Either way, I have to start somewhere and would appreciate any help.

    Thank you kindly.

  • Those rules looks like they should work. Is the gateway of the Apache system setup with It seems like the gateway should be since it is the same as the GUI config.

  • Hi, thank you for the response.

    I am still struggling with this issue.

    (FYI: when I test the port forward externally - Yes I do test it from a completely separate network- eg. from home)

    QUESTION: Is it possible that port 8800 (and others) are BLOCKED on the CISCO ROUTER ? (see below)

    Our setup is as follow:


    From outside the LAN the EXTERNAL STATIC IP 41.xxx.xx.xx:80 goes to WEBgui for pfsense.
    Or internally, IP goes to WEBgui.

    The NAT rule works internally, ie. Apache listens on 8800 on ip Any LAN pc connects to it no problem.

    TCP/IP for all LAN pc's (including the Apache machine) is as follow:

    Static IP  / / etc.

    Remember that for outside the network port 80 goes to the webgui.

    Even though the port forward and FW rule for port 8800 is setup correctly in pfsense...
    ...is it possible that port 8800 (and others) are BLOCKED on the CISCO ROUTER ?

    Any response is helpful.
    Thank you very much.

  • What is on If goes to the web GUI, then that should be your firewall and also your gateway. If that is a proxy server, what is its gateway? Ideally if you are going to open port 80 to the WAN address, you will want to move webgui off port 80 and move it to 8080 (or similiar). There is by default a redirector that redirects 80 to 443 if that option is not disabled manually. This is also why you move it off port 80.
    If the router is just a router, then it should block nothing. If you have had to use it as a FW in the past (with access rules), then some of those rules might still be lingering in there.

  • Hi podilarius, thanks again for your reply.

    I looked into this some more and found the following. is the Cisco Router (installed and configured by ISP) is the pfsense PROXY/FIREWALL (installed and configured by ISP) but I was given root access to configure as I wish - since we pay them big time for the equipment. /4 /5 etc = LAN

    (Let's forget about the WEBgui on https(443) for a moment - yes I can, and I am planning to change it to https)

    For now, my issue is with the blocked ports.

    For testing, I shutdown the Apache( machine.

    I then changed the WEBgui port to 8800 (also tried 8080 and others).

    From within the LAN I can get into no problem.

    But from outside the LAN (from home) I can NOT get into external ip (41.xx.xxx.xx:8800).

    So I'm thinking that all "non-standard" ports are blocked on the router( - maybe as a security feature.
    If this is the case, then NAT/FW rules on will have no effect, correct?

    I DO NOT have access to configure the Cisco Router (

    Do you think the following scenario will work ?

    1. Configure Apache on to listen on port 80 (since we know port 80 is open from the outside).
    2. Change WEBgui to https(443). From outside I'll get in via https://41.xx.xxx.xx - correct ?

    FYI: The Apache server is not going to be a long term production type setup. At the moment I simply use it to develop and host a Web Application - but I have people from outside our company that need to 'have a look' every now and then in order to comment on it.

    Have a good day.

  • If these are your actual IPs, then you have a fundamental networking problem. If LAN is and the same is used for WAN, then inbound connection will not make it to computers on the LAN, unless there is a bridge involved (which I don't think you mentioned one). If you are using as a proxy only, then your setup is fine, just go an turn off the firewalling. Set your gateway to and then in the browser setup, change the proxy values to port 3128. The subject of the thread suggest that you are using pfsense to limit access and not as a proxy so I would imagine that network is incorrectly configured with the information you have provided.

  • Okay then, how about this config :


    Internal IP for router =  (Gateway?)


    Internal IP (webgui is here)

    LAN : (reconfigured)

    In the Webgui...
    WAN IP =
    LAN IP =
    GATEWAY = port 3128

    LAN =
    (Internet access works perfect)

    LAN PC with APACHE =
    APACHE CONFIG : Listen config...

    NAT RULE PORT 8800
    FWALL ALLOW PORT 8800 (auto from NAT)

    Internal(LAN) access to Apache - no problem /  works perfect.

    External access to 41.xx.xxx.xx:8800 (to be forwarded to NOT working.

    Thank you for showing interest in my little dilemma.


  • You are not going to forward directly to from the cisco. You have double NAT, so you are going to have to make sure you adjust for that.
    So, create a VIP on WAN and set it to
    In the port forward rule, source and source port is any.
    Destination IP is going to be the VIP ( DPORT will be 8800.
    Then you set the NAT ip to on port 8800.
    I am not sure how you have a gateway with a port. LAN does not usually have a gateway set at all in pfSense. But for your LAN PCs, is a good gateway so long as the PC at that address has a default gateway of Since that just looks like a proxy, and not even a transparent one, I would set the gateway of all the machines except pfSense (which will only have a gateway on WAN address) to and use browser configs to set the proper proxy address.

Log in to reply