Nginx behind PFsense uptime problems

  • Hi there,

    Running pfSense on ESXi and an Ubuntu Server 15.04 x64 with Nginx 1.9.5 also on ESXi.
    Everything works as it should. Site is available from the internet and from the local networks.

    We have a IPv6 \48 and 7 static IPv4 addresses.
    One IPv4 address is configured as 1:1 NAT to the webserver (webserver is running in separate LAN network) (specific NATS 80->80 and 443->443 have also been tried)
    Made a firewall rule to allow IPv4/IPv6 * from * to Webserver port *
    Also tried the rule allow IPv4/IPv6 TCP/UDP from * to Webserver port 443 and 80

    Both have the same result.
    Uptime Robot and freesitestatus both tell me that the website isn't always up.
    Gateway (ping to our external IP) is allways up.
    Another webserver IIS7 is always up.

    Is this a problem in my configuration of the firewall or in nginx?
    What is the best way to configure the firewall. 1:1 NAT or specific NAT?
    Firewall rule to allow all (some kind of firewall bypass) or filtering and only allowing the needed traffic?

    Please help me to get a 100% uptime as with IIS7 and not a 98% uptime.

    ps. if this is in the wrong subforum, i'am sorry, please replace it.

  • So is your IIS server on the same network as the Nginx server? You presumably have port forwarding rules in place to allow external access to ports 80 and 443 on the IIS system - have you checked that the rules are the same for both servers? And are you using virtual IPs on the external side to forward the traffic to each of your web servers?

    In short, if you have exactly the same setup on the firewall for IIS and Nginx as far as the firewall rules go, then the issue is almost certainly with Nginx. Have you checked the Nginx server logs to see if the service is dropping or if anything is happening on the server? For that matter, are you checking the pfSense logs to see if any disconnects are occuring?

    Without any specific information about your rules or any indication you've checked your logs, this is about as much help as anyone can offer. If you need any further assistance, post your rules and any log information you can find.

  • LAYER 8 Global Moderator

    firewall rules don't say oh you can only go in 98% of the time ;)  Your issue is most likely with your actual web server or connectivity to it on your lan side.

    Does it go down on its ipv6 address?  You know when I see this "Also tried the rule allow IPv4/IPv6 TCP/UDP from * to Webserver port 443 and 80"  I have to think to myself.. WHY??  Since when does your website do anything on UDP for http or https???

Log in to reply