On Sun, Apr 19, 2015 at 11:29:37AM -0400, ED Fochler wrote: > What you’re describing is NAT reflection, and the reason you’re > getting redirected from :80 to :443 is because you’re actually > hitting the PFSense web interface. PFSense is running a web server > and by default it will forward you from port 80 to port 443 and > offer a self-signed cert.
Okay, that makes sense. > I think what you need is rule like this: Firewall -> NAT -> Port > Forward on LAN for TCP from any to (WAN):80 redirect to (DMZ > Machine:80) > And maybe another for :443 > That should give you the expected behavior from both inside and > outside networks being redirected to your DMZ machine. Didn't work. Not only did I not get to the site on the DMZ, it broke web surfing to the outside. But now that I know what the problem is, I'll search the pfsense docs for "NAT reflection". I'll be back when I learn something. > You have something like this on WAN, yes? Yes. WAN,TCP,*,*,WAN address,80,192,168.3.2 (server on the DMZ),80. Now I see why Shorewall has a fourth zone, the firewall. And I'm surprised pfsense didn't provide access to the firewall config on some non-standard port like 1080 or 8080 or something. Thanks for the clue. > ED. > > > On 2015, Apr 18, at 6:42 PM, Bob McClure Jr <[email protected]> wrote: > > > > On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote: > >> I am a pfsense newbie. After my homebrew firewall crashed, a > >> colleague recommended pfsense, so I went for it. I'm running the > >> latest update of pfsense. > >> > >> I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which is > >> my DMZ for a web, mail, and DNS server. I have set up the NAT rules > >> for all the stuff from the WAN to get to OPT1. I learned much later > >> than I should have that, by default, LAN can get to anything on WAN > >> and OPT1, and OPT1 can get to anything on WAN. That is correct, isn't > >> it? > >> > >> The problem is that when I go from my workstation on the LAN to our > >> web server on OPT1, I am forced from an HTTP connection to HTTPS. > >> I've done a bunch of web searching and docs perusing, but I can't > >> figure out how to fix that. Everything else seems to be working > >> fine, including outside connections to the web server. > >> > >> Any clues for me? > >> > >> Cheers, > >> -- > >> Bob McClure, Jr. > > > > Here is an interesting discovery based on trying to wget a file off my > > web server (on OPT1) from a machine on the NAT: > > > > $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg > > --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg > > Resolving www.bobcatos.com... 208.101.214.202 > > Connecting to www.bobcatos.com|208.101.214.202|:80... connected. > > HTTP request sent, awaiting response... 301 Moved Permanently > > Location: https://www.bobcatos.com/uploads/somefile.jpeg [following] > > --2015-04-18 17:26:11-- https://www.bobcatos.com/uploads/somefile.jpeg > > Connecting to www.bobcatos.com|208.101.214.202|:443... connected. > > ERROR: cannot verify www.bobcatos.com’s certificate, issued by > > “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed > > Certificate/[email protected]/CN=pfSense-5530c2f6c952e”: > > Unable to locally verify the issuer’s authority. > > ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't match > > requested host name “www.bobcatos.com”. > > To connect to www.bobcatos.com insecurely, use ‘--no-check-certificate’. > > > > I see that it's using the outside address instead of the DMZ address, > > but that used to work on my old firewall. > > > > Why does pfsense insist on making this an SSLed connection and with a > > bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert, > > for pete's sake. > > > > Cheers, > > -- > > Bob McClure, Jr. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [email protected] http://www.bobcatos.com Make every effort to live in peace with all men and to be holy; without holiness no one will see the Lord. Hebrews 12:14 NIV _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
