On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote: > I am a pfsense newbie. After my homebrew firewall crashed, a > colleague recommended pfsense, so I went for it. I'm running the > latest update of pfsense. > > I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which is > my DMZ for a web, mail, and DNS server. I have set up the NAT rules > for all the stuff from the WAN to get to OPT1. I learned much later > than I should have that, by default, LAN can get to anything on WAN > and OPT1, and OPT1 can get to anything on WAN. That is correct, isn't > it? > > The problem is that when I go from my workstation on the LAN to our > web server on OPT1, I am forced from an HTTP connection to HTTPS. > I've done a bunch of web searching and docs perusing, but I can't > figure out how to fix that. Everything else seems to be working > fine, including outside connections to the web server. > > Any clues for me? > > Cheers, > -- > Bob McClure, Jr.
Here is an interesting discovery based on trying to wget a file off my web server (on OPT1) from a machine on the NAT: $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg Resolving www.bobcatos.com... 208.101.214.202 Connecting to www.bobcatos.com|208.101.214.202|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.bobcatos.com/uploads/somefile.jpeg [following] --2015-04-18 17:26:11-- https://www.bobcatos.com/uploads/somefile.jpeg Connecting to www.bobcatos.com|208.101.214.202|:443... connected. ERROR: cannot verify www.bobcatos.com’s certificate, issued by “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/[email protected]/CN=pfSense-5530c2f6c952e”: Unable to locally verify the issuer’s authority. ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't match requested host name “www.bobcatos.com”. To connect to www.bobcatos.com insecurely, use ‘--no-check-certificate’. I see that it's using the outside address instead of the DMZ address, but that used to work on my old firewall. Why does pfsense insist on making this an SSLed connection and with a bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert, for pete's sake. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [email protected] http://www.bobcatos.com Make every effort to live in peace with all men and to be holy; without holiness no one will see the Lord. Hebrews 12:14 NIV _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
