What you’re describing is NAT reflection, and the reason you’re getting
redirected from :80 to :443 is because you’re actually hitting the PFSense web
interface. PFSense is running a web server and by default it will forward you
from port 80 to port 443 and offer a self-signed cert.
I think what you need is rule like this: Firewall -> NAT -> Port Forward on
LAN for TCP from any to (WAN):80 redirect to (DMZ Machine:80)
And maybe another for :443
That should give you the expected behavior from both inside and outside
networks being redirected to your DMZ machine. You have something like this on
WAN, yes?
ED.
> On 2015, Apr 18, at 6:42 PM, Bob McClure Jr <[email protected]> wrote:
>
> On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote:
>> I am a pfsense newbie. After my homebrew firewall crashed, a
>> colleague recommended pfsense, so I went for it. I'm running the
>> latest update of pfsense.
>>
>> I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which is
>> my DMZ for a web, mail, and DNS server. I have set up the NAT rules
>> for all the stuff from the WAN to get to OPT1. I learned much later
>> than I should have that, by default, LAN can get to anything on WAN
>> and OPT1, and OPT1 can get to anything on WAN. That is correct, isn't
>> it?
>>
>> The problem is that when I go from my workstation on the LAN to our
>> web server on OPT1, I am forced from an HTTP connection to HTTPS.
>> I've done a bunch of web searching and docs perusing, but I can't
>> figure out how to fix that. Everything else seems to be working
>> fine, including outside connections to the web server.
>>
>> Any clues for me?
>>
>> Cheers,
>> --
>> Bob McClure, Jr.
>
> Here is an interesting discovery based on trying to wget a file off my
> web server (on OPT1) from a machine on the NAT:
>
> $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg
> --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg
> Resolving www.bobcatos.com... 208.101.214.202
> Connecting to www.bobcatos.com|208.101.214.202|:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://www.bobcatos.com/uploads/somefile.jpeg [following]
> --2015-04-18 17:26:11-- https://www.bobcatos.com/uploads/somefile.jpeg
> Connecting to www.bobcatos.com|208.101.214.202|:443... connected.
> ERROR: cannot verify www.bobcatos.com’s certificate, issued by
> “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed
> Certificate/[email protected]/CN=pfSense-5530c2f6c952e”:
> Unable to locally verify the issuer’s authority.
> ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't match
> requested host name “www.bobcatos.com”.
> To connect to www.bobcatos.com insecurely, use ‘--no-check-certificate’.
>
> I see that it's using the outside address instead of the DMZ address,
> but that used to work on my old firewall.
>
> Why does pfsense insist on making this an SSLed connection and with a
> bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert,
> for pete's sake.
>
> Cheers,
> --
> Bob McClure, Jr. Bobcat Open Systems, Inc.
> [email protected] http://www.bobcatos.com
> Make every effort to live in peace with all men and to be holy;
> without holiness no one will see the Lord.
> Hebrews 12:14 NIV
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
