HTTPS addresses not port forwarding
I have moved to PFsense form a netgearwndr3700v2, so far I am very happy much better throughput especially on the upload where I am seeing close to 3 times the speed.
The only real issue I have run into so far is i cannot reach https address that have been port forwarded in my network. http sites work just fine and i moved one of them from https to http and back for testing. the https address was unreachable. Ill also note that i cannot reach the pfsense webconfigurator from outside my home network if i turn on https for it. its fine inside my home network but outside is un reachable.
I have tried reaching the addresses by using my IP, and by the dyndns names i have….
I thought it might have been the HTTP_REFERER enforcement check, as i had issues reaching packages until i disabled that, but no such luck on fixing the https issue.
outside of setting up nat/rules the only other change i have made is disable the webconfigurator redirect rule (I have a minecraft map on port 80 so i needed that freed up :) )
network setup modem --- PFsense box (dedicated intel nic in, dedicated intel nic out) --- cisco SG300-20 switch
again wonderful product i look forward to configuring it further just need a bit of help figuring out what may be causing this
sounds like #5 but check them all.
I have tested number 5 "ISP or something upstream of pfSense is blocking the port being forwarded" by swapping my old netgear wndr3700v2 back in, and through that i can reach both the https and http port forwarded sites, swapped PFsense back in, then decided to do a back up of current settings, and restore to earlier settings after all i had changed was set static IP for devices on network, and Port forwarding rules.
same issue. i can get to anything that is http, but not the https. verified i could hit different computers through the http. and again checked to see if i could hit sites if i moved them back to http from https. works when set to http.
verified no source port set,
made sure no firewalls on computers in the lan or computers i was doing testing from.
when testing from inside my network after the restore
found i could no longer map by name, but by local IPworked (fixed with uncheck of disabled port reflection ). when tested outside, network after restore, by comcast assigned IP & name http worked but https did not.
pfsense is the boarder router to the modem
captive portal is not enabled
checked all computers/nas to make sure ports were set correctly
edit, its not a deal breaker right now as i can still RDP in and reach every thing. However, its an issue that i will need to resolve before i move from the test rig im running to dedicated pfsense build
So you have gone through the troubleshooting testing linked too. And your sure your not doing something stupid like the things on that list?
Then do a sniff.. Is pfsense seeing the traffic on its wan, is it sending on the traffic on the lan, if so is the traffic getting to your box on 443? This should take you only a couple of minutes to verify. So you know for sure its pfsense not doing something, ie it never goes out the lan interface.. Or if it does, does the machine answer, does the machine not see the traffic, etc. etc..
Post up your rules.. You sure your not running something else on 443? Like openvpn or something - I run openvpn on tcp 443 for example since this is pretty much open no matter where your at that has internet.
You don't have any rule in floating? Post up your wan and lan rules and your nats so we can see what your seeing.
its all my fault :P
found it and fixed it, it was the Proxy URL setting on the system_advanced_misc.php … there was an _ left in the field i could not see in firefox on windows due to the boarder. I had thought i wiped everything in there out before i backed up the first time as i decided i wanted a save with only my base rules and static IPs set. if i had not used my linux VM and looked at that page i don't know that i would have seen it. weird that it only messed with https addresses.
hey thanks again for the help. just having someone else to talk to about the problem makes it a lot less frustrating. I owe you guys a beer
Glad you got it sorted, yes I agree it quite often is very helpful to just ask the questions.
I don't recall any issues with port forwarding that did not come down to user error or blocked traffic before pfsense, etc.
That troubleshoot doc, does include details of using tcpdump to check.. I might edit that to stand out a bit, and simple instructions for using the diag packet capture feature vs tcpdump directly.