Port forward not working

  • i'm trying to access an internal website from outside. I normally entered the WAN ip address http://xx.xx.xx.xx/zz which automatically reroute to https://xx.xx.xx.xx/zz for login info.

    I had setup a port forwarding for port 80 under NAT. but i get a "404 - Not Found" error.

    Accessing the website from internal has no issues.  Tried deleting the NAT and recreating does not fix the problem. Any ideas?

    TCP * * 2xx.xxx.xxx.xxx 80 (HTTP) * none

    TCP * * 2xx.xxx.xxx.xxx 80 (HTTP) * none

  • What is the possibility that your ISP is killing port 80?

    ISPs like to break port 80.  They are also very fond of breaking port 25.

  • It was working fine before I switch over to pfsense.  I had the port 80 forward in my old router.

  • Isn't the web server running https on port 443?

  • PFsense doesn't break port 80.  I'm running a openvpn server there and its fine.
    Check you NAT.  Make sure there are no rules blocking 80 before rules that allow it.
    Its not a pfsense problem.  That I'm sure of.

  • there is a redirect to https if you try to access on port 80.

    I did add another NAT on 443 but it does not make a difference.

    There are 2 rules before
      * RFC 1918 networks * * * * * Block private networks

    • Reserved/not assigned by IANA * * * * * * Block bogon networks
      TCP * * [xxx.xx.xx.xx web server ip] 80 (HTTP) * none

    TCP * 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS) * none

    Below is the NAT defined.
    WAN TCP * * WAN address 80 (HTTP) [xxx.xx.xx.xx web server ip] 80 (HTTP)
    WAN TCP * 443 (HTTPS) WAN address 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS)

    Here is a summary of the packet capture at WAN

    19:59:53.725900 IP > [public ip].8937: tcp 1460
    19:59:53.769245 IP  [public ip].8937 > tcp 0

  • That is really odd - Pfsense doesn't redirect from http to https by default so far as I know.

  • Banned

    System - Advanced - Admin Access - Disable webConfigurator redirect rule and see if it helps.

  • Thats strange if that is the problem.  That redirect only has any effect for me on the LAN side.

    Does this thing have only one WAN / public IP?

  • @moosport:

    Below is the NAT defined.
    WAN TCP * * WAN address 80 (HTTP) [xxx.xx.xx.xx web server ip] 80 (HTTP)
    WAN TCP * 443 (HTTPS) WAN address 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS)

    Why do you have a NAT for source port of 443?  The source port is going to be some random port number.

    Clear the NAT and firewall rules then re-create your NATs to look like this:

    WAN TCP * * WAN address 80 (HTTP)        xx.xx.xx.xx 443 (HTTPS)
    WAN TCP * * WAN address 443 (HTTPS) xx.xx.xx.xx 443 (HTTPS)

    Set the Filter rule association at the bottom when you create the NAT rules so that it creates the proper firewall rules.

  • How do people keep ending up with that block being unchecked?
    That block needs a warning beside it that says "unchecking this block will probably break NAT rule".

  • Yes, it has only 1 public IP.  Redirect is being done at the web server. So I should open 443 port too.

    I'll correct the source port for port 443 NAT and see if it fixes the problem.

    kejianshi. which block are you refering to?

  • i tried the following and got the same error.

    WAN    TCP    *    *    WAN address    80 (HTTP)        xx.xx.xx.xx    443 (HTTPS)
    WAN    TCP    *    *    WAN address    443 (HTTPS)    xx.xx.xx.xx    443 (HTTPS)

    Disabling webConfigurator redirect rule has no effect either.

    What else can I try?

  • Format Drive, reinstall.

    If you messed something up, that should fix it.

  • i took a snapshot of the vm after i had everything setup correctly. it will be a good baseline to start the configuration again.

  • Is it just the redirect not working? Can you access directly to the https on the 443 port??

  • No, it does not work when trying https instead.

  • Reinstall everything but still no go.  I tried Disable Firewall too. So it should not be a routing issue.

    However,  i'm able to access the test page of the webserver on port 80 just by entering http://xx.xx.xx.xx (public ip).  The internal website is only accessible by using http://xx.xx.xx.xx/zz

    the site is listening on port 80. could there be a conflict with webconfigurator?

    The webserver has a static ip defined with a hostname.

  • Update: I left the rules defined and tried it today again. It is working now. Looks like something outside my environment is blocking access.

  • Yeah - ISPs…

    Those crazy guys - Just tuning our ports on and off at a whim.  It gets tiring.

    If its not blatant blocking its shaping that denies bandwidth thats bought and paid for.

    You should bill them $50 per hour you spent chasing your tail because of them.

Log in to reply