Netgate SG-1000 microFirewall

Author Topic: WebServers behind two pfSenses do not work  (Read 209 times)

0 Members and 1 Guest are viewing this topic.

Offline robsonfelix

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
WebServers behind two pfSenses do not work
« on: January 05, 2018, 11:52:24 am »
Guys,

This is my scenario. Please note IPs are changed for security purposes.

This is my topology:

DATA CENTER
-----------
10.20.0.0/23   - servers (netmask 255.255.254.0)
10.20.0.254      - pfsense 2.2.2-RELEASE

suppose a web server with IP 10.20.1.6 under Linux/Apache

OFFICE
------
10.20.4.0/24   - desktops (netmask 255.255.255.0)
10.20.4.254      - pfsense 2.2.6-RELEASE

suppose a desktop with IP 10.20.4.100 with Windows

DATA CENTER and OFFICE are both connected through a LAN-to-LAN link.

When connecting from the OFFICE into the DATA CENTER, *everything* works except HTTP (port 80).

I have been battling with this for days without any clues as to why this is happening. If I do a tcpdump on the webserver hosted in the datacenter I can see traffic from the host at 10.20.4.100, but when capturing those packages on both pfSense firewalls all of them are 0 in length.

If I try ping, traceroute, and everything else targeting that server, it all works. I can SSH to that host and all. But no HTTP.

If I use any machine at the DATA CENTER, I can successfully connect and browse the server at 10.20.1.6.

Thoughts?

Offline KOM

  • Hero Member
  • *****
  • Posts: 5602
  • Karma: +688/-23
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #1 on: January 05, 2018, 12:22:55 pm »
Quote
Thoughts?

You should try posting your questions in one of the many support forums that you had to scroll past to get to this General Discussion forum.  Try General Questions or NAT.

If you're running pfSense WebGUI on 80/tcp (which is the default), you can't use it's WAN IP address to forward an HTTP server on port 80.  Either use a Virtual IP and forward your web server using that, or change the WebGUI port to something other than 80, or access your web server using HTTPS.

Offline robsonfelix

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #2 on: January 05, 2018, 02:02:10 pm »
All is being done locally. This is not for external access.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5602
  • Karma: +688/-23
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #3 on: January 05, 2018, 02:27:55 pm »
I probably misread your description.  When you said that HTTP doesn't work, I assumed you meant that you were trying to connect from an OFFICE computer to a DATACENTER web server, and couldn't connect.  Could you elaborate please?

Offline marcvb

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-1
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #4 on: January 05, 2018, 03:09:48 pm »
I do not realy understand the configuration. Is this a nat ?
Is the pfsense management on port 80 ?

Offline KOM

  • Hero Member
  • *****
  • Posts: 5602
  • Karma: +688/-23
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #5 on: January 05, 2018, 03:24:58 pm »
Yeah I'm not clear on what's the issue either.

Offline robsonfelix

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #6 on: January 06, 2018, 06:34:34 am »
I probably misread your description.  When you said that HTTP doesn't work, I assumed you meant that you were trying to connect from an OFFICE computer to a DATACENTER web server, and couldn't connect.  Could you elaborate please?

That is correct. HTTP servers with port 80 at the DATACENTER cannot be accessed from the OFFICE. If I use port 443 on those same servers I can access all of them from the OFFICE.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15168
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: WebServers behind two pfSenses do not work
« Reply #7 on: January 06, 2018, 08:19:00 am »
When you say "LAN-to-LAN link." you just mean some form of point to point L2 connection?

So you have an interface on pfsense that you put some transit IP range on - see attached simple drawing.

So you are not natting to this transit?  Are you using any transparent proxy on either pfsense on these interfaces?  What are the firewall rules on these interfaces on each pfsense, on the transit network, any sort of floating rules?  What is the static routes you create on each pfsense for the different networks.. I assume your routing is correct since you say all works other than 80..

Maybe issue with using a proxy, or your natting?  Always helps to have the full picture of the setup to try and figure out what is not right..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)