HTTPS on non-standard port being blocked



  • I am running pfSense 1.0.1 on Nokia IP330 for 11 months.  Our LAN is using NAT.  DMZ is filtered bridge.

    One of our departments need to access their external website to check on website statistics.  The server they are trying to access is using a non-standard HTTPS port.  I am using the default LAN -> any rule but the page is being blocked by the firewall with the following rule:

    @262 block drop in log quick all label "Default block all just to be sure."

    The site they are trying to access is formatted as follows:

    https://server.website.com:2083

    I opened up the WAN interface to accept all connections from this IP but still cannot get it working.  I have a backup WAN connection that is running m0n0wall on WRAP and I don't have any problems accessing this particular site on that connection.  Any suggestions would be appreciated.

    Regards,
    Mitch



  • Is it a site we can try?



  • Yes, there are two ways that it may be accessed.

    Go to http://www.monroeaquaticsandfitnesscenter.com/cpanel

    Or directly to https://server.websiteprofessionals.net:2083

    It is a password protected site and you should get a login page when working correctly.  In Firefox 2.0.0.6 I get this message: "The connection to server.websiteprofessionals.net:2083 was interrupted while the page was loading."  For IE7 it's just a generic "Internet Explorer cannot display the webpage"

    Thanks,
    Mitch



  • @rfetech:

    I opened up the WAN interface to accept all connections from this IP but still cannot get it working.

    You need to open up the IP and the port on the LAN interface, because that is where the users are.
    Rule:
    Interface : LAN
    Source : LAN network
    Source Port: *
    Destination: 72.36.202.74  (this is the ip I get when I lookup server.websiteprofessionals.net)
    Destination Port: 2083

    Make this rule the first rule.

    If this doesnt work then give us a screenshot of your LAN firewall rule set.



  • Thank you for your reply but I'm a little confused.

    In my original posting, I stated that the only rule I have on the LAN interface is the default rule which is LAN -> any.  I am not blocking "anything" going out the LAN interface.  It is my understanding that the firewall will allow any established connection from the LAN to WAN to come back through from WAN to LAN.  The computer on the LAN is contacting the server on the WAN at https://xxxxxxx:2083 but the firewall is blocking the return connection with the "block all" rule on the WAN.  At least that is the way I understand it but I could be wrong.  Please clarify for me if I am mistaken.

    Thanks,
    Mitch



  • If you have a rule allowing a packet out, then the reply packet will also be allowed in. You do not need a rule on the WAN for this. THis is known as Stateful Packet Filtering.

    Are you sure that the entry in the log file relates to this website?



  • Thank you for verifing that.  That's why I can't understand why the return connection is being blocked on the WAN interface.  I only have a few rules on the WAN that allows HTTP and HTTPS into our DMZ and a few 1-1 NATS into our LAN, etc.  There's never been any other issues with other web sites.

    The following is from the logfile after trying to access the web page at: https://server.websiteprofessionals.net:2083

    IF: WAN
    Source: 72.36.202.74:2083
    Destination: 64.128.42.159:62170
    Protocol: TCP

    The rule that triggered this action is:
    @262 block drop in log quick all label "Default block all just to be sure.

    I have tried opening "everything" from that IP into the WAN & LAN without success.

    Thanks again,
    Mitch



  • Well thats me stumped….how about getting rid of the rules on the WAN interface. Maybe you have something messed up there? You dont have any NAT setup either?



  • Yesterday, I rebooted the unit for the first time in 10 months but that didn't solve the problem.  Today, I removed all NAT and rules except for the few rules for my servers in the DMZ and 6 1:1 NAT for some servers in the LAN.  All of these are either HTTP, HTTPS, FTP, SMTP, IMAP and SSH.  The problem still persist.

    I'm assuming that you were able to access the website that I'm having problems with?  What version of pfSense are you using?  As I've stated before, I have had no issues with my pfSense box since putting it into production last November.  We have about 300 computers on our network that access thousands of different sites and this is the first issue that I'm aware of.

    I am planning to upgrade to 1.2 when it is released but was hoping to solve this issue now if possible.  If you are stumped, you can imagine how I feel.  ???

    Thank you for all your help and please let me know if you should think of anything else.

    Sincere regards,
    Mitch



  • Yes I can access the website fine.    ???



  • Hi,

    is there a solution for this ?

    I'm experiencing the same problem. Can't access an https site on a non standard port (https://ias-web.conseur.org:4443).

    Btw, i use squid proxy.



  • Squid cannot work for httpS connections.
    You have to explicitly create an additional allow rule for this traffic.

    I can not access your site either. In contrast to the one that rfetech gave us.
    The problem seems to be on the other side of the connection.



  • Found a solution :

    Edit the file /usr/local/pkg/squid.inc
    Search for "acl sslports port 443 …" line
    Add the https port you need to access on this line
    Save
    Restart

    NB : I also added it to the line "acl safeports port 21 ..." but I'm not sure if it's necessary.


Log in to reply