Netgate SG-1000 microFirewall

Author Topic: Distinction between traffic on port 443  (Read 3288 times)

0 Members and 1 Guest are viewing this topic.

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Distinction between traffic on port 443
« on: March 25, 2016, 03:32:05 am »
At the moment I have my pfSense boxed configured with 2 OpenVPN daemons.
One on port 1194 UDP and the other one on port 443 TCP.

But I have a webserver behind my firewall which serves a few sites with HTTPS as well.
At the moment they are configure to run on port 4443 instead of 443 because OpenVPN uses that port.

Is there a way on the pfSense box to know what traffic is coming in and forward accordingly?
So when I connect with my OpenVPN client on port 443 it goes to my OpenVPN daemon but if it's web traffic it forwards the request to my webserver (on port 443).
« Last Edit: March 25, 2016, 03:39:47 am by Panja »
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15733
  • Karma: +1467/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Distinction between traffic on port 443
« Reply #1 on: March 26, 2016, 08:39:11 am »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #2 on: March 26, 2016, 03:34:22 pm »
Many thanks John.
Life saver. :D
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #3 on: March 26, 2016, 05:04:05 pm »
I have it configured and it is working but web traffic is terribly slow.

I read the following line:
NOTE: This requires using TCP, and may result in reduced VPN performance.

But it does not state anything about web traffic being slow.
Is that something that can be fixed or should I just deal with it?
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15733
  • Karma: +1467/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Distinction between traffic on port 443
« Reply #4 on: March 26, 2016, 06:13:18 pm »
You wouldn't need this is your not using tcp on 443 for openvpn.. 

Did you think it was going to be FAST??  Do you have vpn clients at the same time you have web traffic?

Are you using openvpn on 443 tcp because you need to make sure its open where your clients are?  This is common reason to run it on that port. 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline cmb

  • Hero Member
  • *****
  • Posts: 11226
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: Distinction between traffic on port 443
« Reply #5 on: March 26, 2016, 09:37:09 pm »
Has nothing to do with web traffic in particular, doing that just isn't going to be as fast as using a dedicated port, which still wouldn't be quite as fast as using UDP instead.

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #6 on: March 27, 2016, 02:34:41 am »
When I use OpenVPN I always use the UDP daemon, for speed.
But for compatibility I have a second daemon running on port 443, as this port almost never gets blocked.

When I was testing the port-share option I did not have any vpn clients connected.
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline NOYB

  • Hero Member
  • *****
  • Posts: 1703
  • Karma: +159/-273
    • View Profile
Re: Distinction between traffic on port 443
« Reply #7 on: March 27, 2016, 03:29:23 am »
 
Could you run the web server exclusively on 443 and put the OpenVPN TCP service on port 80?
 

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15733
  • Karma: +1467/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Distinction between traffic on port 443
« Reply #8 on: March 27, 2016, 05:47:16 am »
What exactly is slow??  That is not a technical term ;)  To a race car driver you doing 90 in a 75mph zone is slow ;)  If your on gig, 100mbps is SLOW.. If am using 10ge than your gig is like watching paint dry...

What benchmark did you do without the port sharing, and then with the port sharing and what was the performance hit?? 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #9 on: March 28, 2016, 04:14:31 am »
I could try port 80 for OpenVPN. That could be an option. But I have to use port share also.
Because the webserver does serve some regular HTTP sites as well.

What is exactly slow?
I get what you mean and maybe I had to explain myself a bit more.
So I will do now.

I have 2 SSL sites behind the pfSense box. When I put them on their own port (4443) without port sharing the pages load instantly, you'll get the login prompt (put in your credentials) and the page after that loads instantly as well.

When I put the sites on port 443 with port sharing it takes around 10 seconds more to load the first page with the login.
After putting in your credentials it takes another 8 - 10 seconds before the second page loads.
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15733
  • Karma: +1467/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Distinction between traffic on port 443
« Reply #10 on: March 28, 2016, 07:40:04 am »
Welcome to port sharing ;)  System has to figure out that is not openvpn traffic, but web traffic - send that on, etc. etc..

I would suggest you get another public IP if you want to serve up different services off the same port ;)

What you could do is redirect traffic that comes in on 443 for your webserver to new port that way it will be faster.. And you just take a hit on people coming in on https://your.domain.tld, they hit that page - then get redirected to https://your.domain.tld:4433
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #11 on: March 28, 2016, 12:15:05 pm »
Ok, thanks for the heads up. I'll have a look.
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4

Offline tazzler

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #12 on: July 11, 2016, 12:17:22 pm »
I'm witnessing the exact same thing.

Have port-share enabled, that forwards regular https traffic forward to my synology.
I was already using port-share on a Asus Router (which was speced way lower than my current pfSense box  ;D). On the Asus router I had no speed issues with port-share.
With pfSense (and port-share) is really slow. If I access the web server through another port speed is fine.

@Panja: What did you end up with? Are you living with decreased https-performance?

Any other solutions or explanations?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15733
  • Karma: +1467/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Distinction between traffic on port 443
« Reply #13 on: July 11, 2016, 12:32:41 pm »
So your asus router was running openvpn and using the openvpn port sharing feature to send on to something behind?  Or did it have some other port sharing feature??
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline tazzler

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #14 on: July 11, 2016, 01:24:37 pm »
Yes, the Asus router was running OpenVPN with port-share (activated in a text field for additional OpenVPN config, like in pfSense). No other proprietary feature or whatsoever.

Offline tazzler

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #15 on: July 15, 2016, 12:30:07 pm »
anyone?

Offline Panja

  • Full Member
  • ***
  • Posts: 204
  • Karma: +9/-0
    • View Profile
Re: Distinction between traffic on port 443
« Reply #16 on: August 03, 2016, 01:26:14 am »


@Panja: What did you end up with? Are you living with decreased https-performance?



I ended up changing the ports.
I could not live with the decreased speed.
 
Qotom Q355G4 - 8GB ram - 64GB ssd
pfSense v2.4.2-p1
TP-Link TL-SG108E
2x TP-Link Archer C7: LEDE Reboot 17.01.4