Can NAT port 8085 to port 80, but not port 80 itself


  • Hi,

    I've setup a NAT rule to forward port 8085 traffic on the pfSense to a internal apache's server port 80. I'm getting exactly what I want when accessing test.domain.com.

    But the same rule with port 80 NATed to port 80 (same internal server) does not.  I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.

    The likely culprit I thought was the pfSense GUI, but the pfSense configurator is port 8080, https is selected. It should not respond to port 80, should it?

  • LAYER 8 Netgate

    Check Disable webConfigurator redirect rule in System > Advanced


  • Check Disable webConfigurator redirect rule in System > Advanced

    I did - checked or unchecked, same behavior


  • @Mike:

    I am getting "Potential DNS rebind attack". The error message suggested I use the IP address instead of the URL. This worked, but isn't a permanent solution.

    Where are you trying to access the server from, the LAN or from the WAN side?


  • I was trying to access the web page from outside the WAN, not the LAN.

    As I said, port 8085 to LAN machine port 80 worked perfectly, it's port 80 to LAN port 80 that didn't. The rules are identical, except for the port


  • NEW INFO

    I realized something else - I have a Virtual IP on the WAN side.  When the rule is set to "destination IP - all" (i.e. all IPs defined on WAN, as opposed to a specific one), the rule works fine for the main IP but not for the Virtual IP I setup.

    In other words, http://test.domain.com is NATed correctly, but not http://testvirtualip.domain.com

    (test and testvirtualip are DNS entries for the main WAN IP and virtualip on WAN respectively)

    Is this normal? (and if so, why?) Or is this a bug that should be reported?

    Finally, I realize 1:1 NAT will work (and does work, I checked), is that the only way for my scenario to function properly? Is there a downside to using 1:1 NAT?  Not that I see any, but I'm less familiar with it than I am with normal port forwarding.


  • Post screenshots of your NAT and firewall rules. Sounds like you may have a rule mismatch or maybe you have a block rule positioned above your allow rule(s)? Rules are applied top-down.


  • Thank you for the offer - I ended up going with Virtual IPs anyways and 1:1 NAT, and that worked. Can`t figure out why using normal port forward didn't, but I can't go back now (unless I had a good reason to)


  • Hello.
    Got similar problem.

    pfSense2.3.3-RELEASE-p1 (i386) on public IP.
    WWW serwer in LAN (192.168.1.6)

    If I use NAT from WAN:82 (or any other port) to port 192.168.1.6:80 - everything works OK.
    If I want use NAT from WAN:80 to 192.168.1.6:80 it doesn't work - no connection, no errors in logs.
    NAT from WAN:443 to 192.168.1.6:443 works OK, every other ports (SSH, etc.) - too.
    Only 80 - not.

    No service on pfsense uses port 80, I'm sure. Web panel after installation was on port 80, maybe is blocked all the time for some reason?

    Thank You in advance.

    Radek