Redirected to HTTPS when accessing internally hosted website



  • Hello all,

    I just finished setting up my first PFSense firewall. I'm replacing an old Juniper SSG5 with it. However, when I try to access our internally hosted website it redirects me to https://website:8080. 8080 was the port we used when managing the Juniper firewall. When accessing the website outside the LAN it works fine. What am I doing wrong here?

    Also, When the Juniper was setup it had 4 of the ethernet ports bridged together (including the LAN port). So, when I set it up in the PFSense firewall I added all the interfaces, set the "Type" to "None" in the optional interfaces and bridged them together under Interfaces > Bridges. Is that all you have to do?

    Thanks everyone! So far I love this firewall!



  • Just an update, I'm getting this response: Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname.

    I had the domain set under System > General Setup as my webpage (oops) so I changed it which didn't work. I then checked the box under System > Advanced to "Disable DNS Rebinding Checks" which then takes me right to the login page if trying to access the website. Definitely a DNS issue, just not sure where!


  • Rebel Alliance Developer Netgate

    What you need to do is enable NAT reflection. It's not a DNS issue.

    By default, you can't access port forwards from inside your network. You can change that by toggling the NAT reflection options under System > Advanced on the Firewall/NAT tab.



  • @jimp:

    What you need to do is enable NAT reflection. It's not a DNS issue.

    By default, you can't access port forwards from inside your network. You can change that by toggling the NAT reflection options under System > Advanced on the Firewall/NAT tab.

    I tried that also. Our DNS server is our Windows Server. Could this be causing the issue?


  • Rebel Alliance Developer Netgate

    DNS shouldn't matter, but if you can make your DNS server hand out the private IP when resolving the website's name, it wouldn't ever need to hit the firewall.

    If you're still hitting the GUI, NAT reflection isn't enabled properly (or you didn't enable the right one, e.g. it's on for port forwards but not 1:1 NAT and you used 1:1 NAT), hard to say for sure without a lot more info on exactly how you set it up and what you checked/unchecked.



  • @jimp:

    DNS shouldn't matter, but if you can make your DNS server hand out the private IP when resolving the website's name, it wouldn't ever need to hit the firewall.

    If you're still hitting the GUI, NAT reflection isn't enabled properly (or you didn't enable the right one, e.g. it's on for port forwards but not 1:1 NAT and you used 1:1 NAT), hard to say for sure without a lot more info on exactly how you set it up and what you checked/unchecked.

    I enabled NAT reflection on port forwards and 1:1 NAT as well as disabling DNS rebinding checks. When I do this, it sends me to the login screen instead of the DNS Rebind Attack error.


  • Rebel Alliance Developer Netgate

    But that also means you're not getting reflected.

    The DNS rebind error means you're accessing the GUI from the "wrong" DNS name. It's not that the DNS name is wrong for what you're trying to access, you're hitting the GUI of the firewall when you really mean to hit some other site.

    Unless I misunderstood what you're really trying to do there. If you are trying to reach the GUI, then you can either disable the DNS rebinding, like you did, or add the hostname to the approved list on System > Advanced.



  • @jimp:

    But that also means you're not getting reflected.

    The DNS rebind error means you're accessing the GUI from the "wrong" DNS name. It's not that the DNS name is wrong for what you're trying to access, you're hitting the GUI of the firewall when you really mean to hit some other site.

    Unless I misunderstood what you're really trying to do there. If you are trying to reach the GUI, then you can either disable the DNS rebinding, like you did, or add the hostname to the approved list on System > Advanced.

    Sorry for being so vague. I'm trying to access our website that is hosted internally. When I type the URL it redirects me to the PFSense GUI. I want it to take me to the website, not the GUI.


  • Rebel Alliance Developer Netgate

    OK, so then it's not hitting the NAT reflection for some reason then.

    Either that port isn't forwarded in, or NAT reflection really isn't on, or you did 1:1 NAT and NAT reflection isn't fully enabled there, etc.

    Next step would be to show what your port forward rule looks like, or 1:1 NAT rule, and also exactly what your NAT reflection settings are current set for.


  • Rebel Alliance Developer Netgate

    From what I see there, going to http://website  should work…

    Make sure you're actually hitting that and not https://website:8080

    Close the browser in between loading attempts, some browsers cache a redirect.



  • @jimp:

    From what I see there, going to http://website  should work…

    Make sure you're actually hitting that and not https://website:8080

    Close the browser in between loading attempts, some browsers cache a redirect.

    That was it! I can't believe that. I had firefox open and was trying it IE everytime I made a change. When I closed all the browsers it worked. Thank you!! Also, could you take a look at my second question about bridging interfaces? I just want to make sure it's setup correctly.

    Thanks again


Locked