On Sun, Apr 19, 2015 at 10:03:11PM +0200, Espen Johansen wrote: > Try that rule on WAN :-) > > 19. apr. 2015 21:50 skrev "Bob McClure Jr" <[email protected]>: > > > > On Sun, Apr 19, 2015 at 11:29:37AM -0400, ED Fochler wrote: > > > What you’re describing is NAT reflection, and the reason you’re > > > getting redirected from :80 to :443 is because you’re actually > > > hitting the PFSense web interface. PFSense is running a web server > > > and by default it will forward you from port 80 to port 443 and > > > offer a self-signed cert. > > > > Okay, that makes sense. > > > > > I think what you need is rule like this: Firewall -> NAT -> Port > > > > > Forward on WAN for TCP from any to (WAN):80 redirect to (DMZ Machine:80) > > Try that on WAN
I already have that. See 13 lines below this one. Thanks. > > > And maybe another for :443 > > > That should give you the expected behavior from both inside and > > > outside networks being redirected to your DMZ machine. > > > > Didn't work. Not only did I not get to the site on the DMZ, it broke > > web surfing to the outside. But now that I know what the problem is, > > I'll search the pfsense docs for "NAT reflection". I'll be back when > > I learn something. > > > > > You have something like this on WAN, yes? > > > > Yes. WAN,TCP,*,*,WAN address,80,192,168.3.2 (server on the DMZ),80. > > > > Now I see why Shorewall has a fourth zone, the firewall. And I'm > > surprised pfsense didn't provide access to the firewall config on some > > non-standard port like 1080 or 8080 or something. > > > > Thanks for the clue. > > > > > ED. > > > > > > > On 2015, Apr 18, at 6:42 PM, Bob McClure Jr <[email protected]> wrote: > > > > > > > > On Fri, Apr 17, 2015 at 10:55:42PM -0500, Bob McClure Jr wrote: > > > >> I am a pfsense newbie. After my homebrew firewall crashed, a > > > >> colleague recommended pfsense, so I went for it. I'm running the > > > >> latest update of pfsense. > > > >> > > > >> I have a pretty basic three-piece setup -- WAN, LAN, and OPT1 which > is > > > >> my DMZ for a web, mail, and DNS server. I have set up the NAT rules > > > >> for all the stuff from the WAN to get to OPT1. I learned much later > > > >> than I should have that, by default, LAN can get to anything on WAN > > > >> and OPT1, and OPT1 can get to anything on WAN. That is correct, > isn't > > > >> it? > > > >> > > > >> The problem is that when I go from my workstation on the LAN to our > > > >> web server on OPT1, I am forced from an HTTP connection to HTTPS. > > > >> I've done a bunch of web searching and docs perusing, but I can't > > > >> figure out how to fix that. Everything else seems to be working > > > >> fine, including outside connections to the web server. > > > >> > > > >> Any clues for me? > > > >> > > > >> Cheers, > > > >> -- > > > >> Bob McClure, Jr. > > > > > > > > Here is an interesting discovery based on trying to wget a file off my > > > > web server (on OPT1) from a machine on the NAT: > > > > > > > > $ wget http://www.bobcatos.com/uploads/somefile.jpeg -O targetname.jpg > > > > --2015-04-18 17:26:11-- http://www.bobcatos.com/uploads/somefile.jpeg > > > > Resolving www.bobcatos.com... 208.101.214.202 > > > > Connecting to www.bobcatos.com|208.101.214.202|:80... connected. > > > > HTTP request sent, awaiting response... 301 Moved Permanently > > > > Location: https://www.bobcatos.com/uploads/somefile.jpeg [following] > > > > --2015-04-18 17:26:11-- > https://www.bobcatos.com/uploads/somefile.jpeg > > > > Connecting to www.bobcatos.com|208.101.214.202|:443... connected. > > > > ERROR: cannot verify www.bobcatos.com’s certificate, issued by > “/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed > Certificate/[email protected] > /CN=pfSense-5530c2f6c952e”: > > > > Unable to locally verify the issuer’s authority. > > > > ERROR: certificate common name “pfSense-5530c2f6c952e” doesn't > match requested host name “www.bobcatos.com”. > > > > To connect to www.bobcatos.com insecurely, use > ‘--no-check-certificate’. > > > > > > > > I see that it's using the outside address instead of the DMZ address, > > > > but that used to work on my old firewall. > > > > > > > > Why does pfsense insist on making this an SSLed connection and with a > > > > bogus SSL cert to boot? www.bobcatos.com has its own legit SSL cert, > > > > for pete's sake. > > > > > > > > Cheers, > > > > -- > > > > Bob McClure, Jr. > > > > Cheers, > > -- > > Bob McClure, Jr. -- Bob McClure, Jr. Bobcat Open Systems, Inc. [email protected] http://www.bobcatos.com Make every effort to live in peace with all men and to be holy; without holiness no one will see the Lord. Hebrews 12:14 NIV _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
