Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward to Web Server Troubleshooting

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ahking19A
      ahking19
      last edited by

      Hi,

      I am trying to troubleshoot a problem with my NAT config. I am port forwarding traffic on port 80 to my web server.  NAT Reflection is on and internally I can access the website. Externally only SOME traffic can access the site. I have turned on logging for the port 80 FW rule and I do see some traffic pass. My co-worker on cellular network was able to access the site but I can not (both ATT network). I also tried from http://downforeveryoneorjustme.com/ and it returned a down status. I ran a packet capture while testing and I can see the traffic on the WAN.

      14:04:32.208766 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
      14:04:35.172237 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
      14:04:35.172435 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 134
      14:04:35.172920 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0
      14:04:35.284725 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 653
      14:04:35.344196 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
      14:04:35.345141 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
      14:04:35.345369 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 177
      14:04:35.345715 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0

      But the system:firewall logs does not show this (above) traffic - either Pass or Block. The Pass was logged for my co-workers cellular network connection. I also checked the web server log and there no requests from 50.97.161.229.

      FYI - this is a new server install. Some of the port forwards are working, such as SMTP, but several are not.

      Attached are my Virtual IP, NAT and firewall settings.

      Can anyone with a fresh set of eyes see if I am doing something wrong? Thanks in advance.

      -Andrew

      NAT_Port_Forward.png_thumb
      VIP.png_thumb
      VIP.png
      FW_Rules.png_thumb
      FW_Rules.png
      NAT_Port_Forward.png

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @ahking19:

        14:04:32.208766 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
        14:04:35.172237 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
        14:04:35.172435 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 134
        14:04:35.172920 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0
        14:04:35.284725 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 653
        14:04:35.344196 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
        14:04:35.345141 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
        14:04:35.345369 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 177
        14:04:35.345715 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0

        But the system:firewall logs does not show this (above) traffic - either Pass or Block. The Pass was logged for my co-workers cellular network connection. I also checked the web server log and there no requests from 50.97.161.229.

        Who is 50.97.161.229??

        The packet capture above shows access to 50.97.161.229 at port 80. So it seems 50.97.161.229 is the server and 173.160.166.49 is the client who access a web page at 50.97.161.229.

        BTW: Why have you forwarded RDP while you have a OpenVPN setup?

        1 Reply Last reply Reply Quote 0
        • ahking19A
          ahking19
          last edited by

          Who is 50.97.161.229??<<

          External website I was using to test.

          Traffic from this address is trying to reach a website at 173.160.166.53, which is Virtual IP. 173.160.166.49 is the WAN interface of the pfsense box.

          The capture shows the traffic reaches the WAN interface but it doesn't get to the private NAT address of the webserver.

          BTW: Why have you forwarded RDP while you have a OpenVPN setup?<<

          Legacy. If I can get pfsense configured correctly and clients rolled over to OpenVPN I can then drop the RDP rules.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            @ahking19:

            Who is 50.97.161.229??<<

            External website I was using to test.

            Traffic from this address is trying to reach a website at 173.160.166.53, which is Virtual IP. 173.160.166.49 is the WAN interface of the pfsense box.

            The capture shows the traffic reaches the WAN interface but it doesn't get to the private NAT address of the webserver.

            No, the capture shows packet from 173.160.166.49 accessing 50.97.161.229 at port 80/http. That's what I don't understand.
            So maybe a host inside your LAN is accessing a website at 50.97.161.229, outbound NAT will translate the source address to the WAN address.

            If a webaddress is accessing your external virtual IP packet capture shows your VIP not the WAN IP.

            1 Reply Last reply Reply Quote 0
            • ahking19A
              ahking19
              last edited by

              So maybe a host inside your LAN is accessing a website at 50.97.161.229, outbound NAT will translate the source address to the WAN address.<<

              I think your were right, the traffic was from inside host.

              I did some testing from home where my IP is 50.46.159.93 and ran some pings to my IPs.

              173.160.166.49 - pfsense
              173.160.166.51 - VIP
              173.160.166.53 - VIP
              173.160.166.54 - VIP

              in the packet trace I can see the ping to .49 & .51 but none of my other VIPs.  I can also see .49 & .51 in the firewall rule log.

              Is it something in the way I created the VIPs?  They were all created the same but .51 was created first and is first in list.

              type = ip alias
              interface = wan
              ip address - 173.160.166.51/28

              Then I used the VIP in the NAT Port Forward rule.

              I ran ifconfig from shell and the IPs are all listed on the WAN interface

              $ ifconfig
              em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
              options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:30:48:55:c8:2a
              inet6 fe80::230:48ff:fe55:c82a%em0 prefixlen 64 scopeid 0x1
              inet 173.160.166.49 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.51 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.50 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.52 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.60 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.54 netmask 0xfffffff0 broadcast 173.160.166.63
              inet 173.160.166.53 netmask 0xfffffff0 broadcast 173.160.166.63
              nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
              status: active

              -Andrew</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

              1 Reply Last reply Reply Quote 0
              • ahking19A
                ahking19
                last edited by

                It seems to be a problem with the VIPs. The only one that works is 173.160.166.51.

                I moved the website from .60 on port 443 to .51 port 443.
                I also moved website from .53 on port 80 to .51 port 80.

                Updated the NAT Port Forward rules and they are now accessible from both internal and external clients.

                -Andrew

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Strange issue.

                  Your VIPs looks well.

                  Only thing I'm missing is your WAN gateway IP. Usually this is the lowest IP in the subnet except the network address, but this is the WAN address in your case.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.