Port Fowarding Troubles, 80 forwards, 8080 doesnt from inside LAN.
-
Heres the story. I have a server that runs both IIS and Apache, though Apache is running on port 8080. To simply this all for outside users i created a redirect page for IIS to handle which will automatically redirect them to the proper port on Apache.
So from my LAN when I goto http://projects.icsanalytics.com, it brings up an IIS page that redirects to http://projects.icsanalytics.com:8080. Users are none the wiser.
This scenario works fine from the internet. The IIS redirect page will even display "hello". This is how I know the port forward for the IIS port is working for 80. Externally it redirects to 8080 just fine.
However, when I'm inside my LAN trying to access this site I get to the IIS redirect page, but it times out on the 8080 request.
So why would it forward properly when I'm accessing it externally, but only half work internally?
Any help would be appreciated. Thanks.
-
If i'm assuming correct your portforward does use external working dns-name?
Couple of possibilities over here.
- Create new zone to local dns, which is same than public http://projects.icsanalytics.com and point it internal IP-address
- Go to System: Advanced: Firewall and NAT and remove check mark from: Disable NAT Reflection for port forwards
-
Did you place the Webserver into your internal network or into DMZ (ex. OPT1)?
-
If i'm assuming correct your portforward does use external working dns-name?
I'm not sure what you mean here. Both web servers respond to the hostname, just on different ports.
IIS is looking for hostname projects.icsanalytics.com on 80, and apache is looking for projects.icsanalytics.com on 8080.
Lets forget the redirect for a moment. That was probably adding too many moving parts to the equation.
Externally I can reach both http://projects.icsananlytics.com (port 80 implied), and http://projects.icsanalytics.com:8080
Internally I can reach http://projects.icsanalytics.com (port 80 implied) but cannot reach http://projects.icsanalytics.com:8080.
I know the port forward itself is setup correctly as it all works as planned externally. The "Disable NAT Reflection" is unchecked, else internally http://projects.icsanalytics.com or http://support.icsanalytics.com or any other website will just bring up the login for pfsense.
I suppose I should also mention this system is v1.2.3.
Thanks so much.
-
Did you place the Webserver into your internal network or into DMZ (ex. OPT1)?
Its in the LAN, no DMZ/OptX.
-
Shot in the dark, is there anything on apache which could cause this like ACL or something like that?
I haven't used v1.2.3 since 2010 and combined experience of that was one month or less, so I can't help you on that -
Shot in the dark, is there anything on apache which could cause this like ACL or something like that?
I haven't used v1.2.3 since 2010 and combined experience of that was one month or less, so I can't help you on thatThanks for your quick response, you are a big help.
I don't know that there is. I guess to even determine if this is happening I should check out the state table, and maybe even run a wireshark to see if any traffic at all is reaching the machine on this port when I try to access it internally.
-
I think I found the problem, this shows up in the state table when I filter by "8080"
127.0.0.1:19022 <- WANIP:8080 <- 192.168.0.79:49643
192.168.0.79 is the IP address of the local workstation I just tried to access the URL from. I really dont know what to make of this. Why is the request being sent to "localhost" (which is the pfsense) on that port?
-
Try to look with ping or nslookup what you got from pc to ping that dns name and do same from firewall
-
Pings and nslookup return my WAN IP, which is to be expected because the hostname:80 works fine. Its only when we get into 8080 that its no good.
-
Then you can try method #1 from inside, use internal ip-addressing for public dns-name
Example from wan: ping www.yourdomain.com resolves 1.1.1.1
Example from lan: ping www.yourdomain.com resolves 192.168.0.25 -
It always pings to my WAN, as expected. Our internal domain is ics.local. The zonefile for icsanalytics.com exists elsewhere. projects.icsanalytics.com will always ping to the same place regardless of where you ping from.
-
But create yourself internal domain with a-host to that internal ip.
host that dns sameplace as your ics.localother than that i can't help you.
try even on host file on your computer to use that projects.icsanalytics.com to internal host.