Can NAT port 8085 to port 80, but not port 80 itself



  • Hi,

    I've setup a NAT rule to forward port 8085 traffic on the pfSense to a internal apache's server port 80. I'm getting exactly what I want when accessing test.domain.com.

    But the same rule with port 80 NATed to port 80 (same internal server) does not.  I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.

    The likely culprit I thought was the pfSense GUI, but the pfSense configurator is port 8080, https is selected. It should not respond to port 80, should it?


  • LAYER 8 Netgate

    Check Disable webConfigurator redirect rule in System > Advanced



  • Check Disable webConfigurator redirect rule in System > Advanced

    I did - checked or unchecked, same behavior



  • @Mike:

    I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.

    Where are you trying to access the server from, the LAN or from the WAN side?



  • I was trying to access the web page from outside the WAN, not the LAN.

    As I said, port 8085 to LAN machine port 80 worked perfectly, it's port 80 to LAN port 80 that didn't. The rules are identical, except for the port



  • NEW INFO

    I realized something else - I have a Virtual IP on the WAN side.  When the rule is set to "destination IP - all" (i.e. all IPs defined on WAN, as opposed to a specific one), the rule works fine for the main IP but not for the Virtual IP I setup.

    In other words, http://test.domain.com is NATed correctly, but not http://testvirtualip.domain.com

    (test and testvirtualip are DNS entries for the main WAN IP and virtualip on WAN respectively)

    Is this normal? (and if so, why?) Or is this a bug that should be reported?

    Finally, I realize 1:1 NAT will work (and does work, I checked), is that the only way for my scenario to function properly? Is there a downside to using 1:1 NAT?  Not that I see any, but I'm less familiar with it than I am with normal port forwarding.



  • Post screenshots of your NAT and firewall rules. Sounds like you may have a rule mismatch or maybe you have a block rule positioned above your allow rule(s)? Rules are applied top-down.



  • Thank you for the offer - I ended up going with Virtual IPs anyways and 1:1 NAT, and that worked. Can`t figure out why using normal port forward didn't, but I can't go back now (unless I had a good reason to)



  • Hello.
    Got similar problem.

    pfSense2.3.3-RELEASE-p1 (i386) on public IP.
    WWW serwer in LAN (192.168.1.6)

    If I use NAT from WAN:82 (or any other port) to port 192.168.1.6:80 - everything works OK.
    If I want use NAT from WAN:80 to 192.168.1.6:80 it doesn't work - no connection, no errors in logs.
    NAT from WAN:443 to 192.168.1.6:443 works OK, every other ports (SSH, etc.) - too.
    Only 80 - not.

    No service on pfsense uses port 80, I'm sure. Web panel after installation was on port 80, maybe is blocked all the time for some reason?

    Thank You in advance.

    Radek


Log in to reply