Forwarding port 443 only works for a few of my CIDR block IP's



  • We moved to a 16 address CIDR block about two weeks ago, about the time we upgraded to 2.3.

    Things worked fine until today. For some reason port 443 is no longer forwarding correctly for two of the IP addresses.

    I've reviewed and reviewed this time I'm blue in the face.

    The rules are constructuted the same for mapping port 443 of each of the four CIDR block addresses to a separate internal IP.  The only slight difference is that internal IP 192.168.0.46 and 192.168.0.51 are different IP addresses on the same NIC on a Windows Server. We are doing this so we can map:

    • port 443 on one host to port 443 on this server (IP addr 192.168.0.46)

    • port 443 on a different external IP to port 8081 on the same server (IP addr 192.168.0.51)

    This is done so the "relay" port on ScreenConnect can get through some client firewalls a bit easier.

    pfSense says that port 443 is open on each of the two IP addrs - 192.168.0.46 and 192.168.0.51, as does a windows "netstat -anb" and a browser from inside the firewall.

    Below is the output of nmap from a remote CentOS box. I've change the first two parts of the IP address to "88.71" for public posting.

    Any ideas at all are appreciated.

    Thank you - Richard

    Nmap scan report for thx.san.destinytv.com (88.71.190.146)
    Host is up (0.016s latency).
    PORT    STATE SERVICE
    443/tcp open  https
    
    Nmap scan report for wsip-88-71-190-147.ph.ph.cox.net (88.71.190.147)
    Host is up (0.018s latency).
    PORT    STATE SERVICE
    443/tcp open  https
    
    Nmap scan report for wsip-88-71-190-148.ph.ph.cox.net (88.71.190.148)
    Host is up (0.021s latency).
    PORT     STATE    SERVICE
    443/tcp  filtered https
    8081/tcp filtered blackice-icecap
    8443/tcp open     https-alt
    
    Nmap scan report for wsip-88-71-190-149.ph.ph.cox.net (88.71.190.149)
    Host is up (0.016s latency).
    PORT     STATE    SERVICE
    443/tcp  filtered https
    8081/tcp filtered blackice-icecap
    8443/tcp open     https-alt
    
    


  • Question: Which two of the three external IPs you've posted should map to 192.168.0.46 and 192.168.0.51 respectively?

    So you say when you browse to https://192.168.0.46 and https://196.168.0.51 internally, the pages load correctly? Is this right?

    I think it may help a lot if you post your NAT and firewall forwarding rules for your WAN interface. Screenshots, please - not ASCII.


Log in to reply