Port forward not working
-
i'm trying to access an internal website from outside. I normally entered the WAN ip address http://xx.xx.xx.xx/zz which automatically reroute to https://xx.xx.xx.xx/zz for login info.
I had setup a port forwarding for port 80 under NAT. but i get a "404 - Not Found" error.
Accessing the website from internal has no issues. Tried deleting the NAT and recreating does not fix the problem. Any ideas?
NAT
TCP * * 2xx.xxx.xxx.xxx 80 (HTTP) * noneRules(WAN)
TCP * * 2xx.xxx.xxx.xxx 80 (HTTP) * none -
What is the possibility that your ISP is killing port 80?
ISPs like to break port 80. They are also very fond of breaking port 25.
-
It was working fine before I switch over to pfsense. I had the port 80 forward in my old router.
-
Isn't the web server running https on port 443?
-
PFsense doesn't break port 80. I'm running a openvpn server there and its fine.
Check you NAT. Make sure there are no rules blocking 80 before rules that allow it.
Its not a pfsense problem. That I'm sure of. -
there is a redirect to https if you try to access on port 80.
I did add another NAT on 443 but it does not make a difference.
There are 2 rules before
* RFC 1918 networks * * * * * Block private networks- Reserved/not assigned by IANA * * * * * * Block bogon networks
TCP * * [xxx.xx.xx.xx web server ip] 80 (HTTP) * none
TCP * 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS) * none
Below is the NAT defined.
WAN TCP * * WAN address 80 (HTTP) [xxx.xx.xx.xx web server ip] 80 (HTTP)
WAN TCP * 443 (HTTPS) WAN address 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS)Here is a summary of the packet capture at WAN
19:59:53.725900 IP 206.111.11.46.80 > [public ip].8937: tcp 1460
19:59:53.769245 IP [public ip].8937 > 206.111.11.46.80: tcp 0 - Reserved/not assigned by IANA * * * * * * Block bogon networks
-
That is really odd - Pfsense doesn't redirect from http to https by default so far as I know.
-
System - Advanced - Admin Access - Disable webConfigurator redirect rule and see if it helps.
-
Thats strange if that is the problem. That redirect only has any effect for me on the LAN side.
Does this thing have only one WAN / public IP?
-
Below is the NAT defined.
WAN TCP * * WAN address 80 (HTTP) [xxx.xx.xx.xx web server ip] 80 (HTTP)
WAN TCP * 443 (HTTPS) WAN address 443 (HTTPS) [xxx.xx.xx.xx web server ip] 443 (HTTPS)Why do you have a NAT for source port of 443? The source port is going to be some random port number.
Clear the NAT and firewall rules then re-create your NATs to look like this:
WAN TCP * * WAN address 80 (HTTP) xx.xx.xx.xx 443 (HTTPS)
WAN TCP * * WAN address 443 (HTTPS) xx.xx.xx.xx 443 (HTTPS)Set the Filter rule association at the bottom when you create the NAT rules so that it creates the proper firewall rules.
-
How do people keep ending up with that block being unchecked?
That block needs a warning beside it that says "unchecking this block will probably break NAT rule". -
Yes, it has only 1 public IP. Redirect is being done at the web server. So I should open 443 port too.
I'll correct the source port for port 443 NAT and see if it fixes the problem.
kejianshi. which block are you refering to?
-
i tried the following and got the same error.
WAN TCP * * WAN address 80 (HTTP) xx.xx.xx.xx 443 (HTTPS)
WAN TCP * * WAN address 443 (HTTPS) xx.xx.xx.xx 443 (HTTPS)Disabling webConfigurator redirect rule has no effect either.
What else can I try?
-
Format Drive, reinstall.
If you messed something up, that should fix it.
-
i took a snapshot of the vm after i had everything setup correctly. it will be a good baseline to start the configuration again.
-
Is it just the redirect not working? Can you access directly to the https on the 443 port??
-
No, it does not work when trying https instead.
-
Reinstall everything but still no go. I tried Disable Firewall too. So it should not be a routing issue.
However, i'm able to access the test page of the webserver on port 80 just by entering http://xx.xx.xx.xx (public ip). The internal website is only accessible by using http://xx.xx.xx.xx/zz
the site is listening on port 80. could there be a conflict with webconfigurator?
The webserver has a static ip defined with a hostname.
-
Update: I left the rules defined and tried it today again. It is working now. Looks like something outside my environment is blocking access.
-
Yeah - ISPs…
Those crazy guys - Just tuning our ports on and off at a whim. It gets tiring.
If its not blatant blocking its shaping that denies bandwidth thats bought and paid for.
You should bill them $50 per hour you spent chasing your tail because of them.