The pfSense Store

Author Topic: Issue with port forwarding https/webmail  (Read 6968 times)

0 Members and 1 Guest are viewing this topic.

Offline kkm

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Issue with port forwarding https/webmail
« on: August 29, 2011, 09:59:15 am »
Hi!

I'm new to this forum, so I hope this is the right place for the post.

We have a firewall running pfsense 2.0 RC2.  We have an email server running Mac Lion 10.7 that has webmail set up on it using a self-signed SSL certificate.  Internally, webmail connections work using https on port 443.  No other ports are needed internally for webmail to work.  Externally (outside of the firewall), web browsers will not connect to the webmail unless port 143 (unencrypted IMAP) is also port forwarded to the webmail server.  It seems like the firewall is un-encrypting the ssl as it passes through

Here is the rule that we have for webmail:

Dest. Addr       Dest. ports     Nat IP      Nat Ports
*                   25000            server      443


We are using port 25000 as the destination port since we have other https connections on the standard ports already going to other servers.  Also, we are connecting directly to the firewall external interface with https://firewall-ip-address:25000/webmail to access the server. 

Is there another setting that we should be using to allow port forwarding for SSL connections?  I will be happy to supply anything else needed for troubleshooting.  Thanks!

Offline TooMeeK

  • Full Member
  • ***
  • Posts: 152
  • Karma: +0/-0
    • View Profile
Re: Issue with port forwarding https/webmail
« Reply #1 on: August 30, 2011, 02:06:06 pm »
I don't understand what do U mean.
I have SSL NATed already - Webmin, HTTPS, SSH, all works fine..
Just add an entry in DNS Forwarder?
Then host will be reachable in LAN like over WAN dns entry, but using internal IP.
« Last Edit: August 30, 2011, 02:08:34 pm by TooMeeK »

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: Issue with port forwarding https/webmail
« Reply #2 on: August 30, 2011, 08:36:18 pm »
The firewall can't unencrypt traffic. Nothing in a web browser will require IMAP being open, though I'm not familiar with how that particular webmail functions. What you're doing there is generally fine.

Offline kkm

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Issue with port forwarding https/webmail
« Reply #3 on: August 31, 2011, 08:14:22 am »
Hi!  Thanks for the replies.  We actually have DNS set up internally and have external DNS servers configured as well.

That is good to know that the firewall won't be un-encrypting SSL traffic.

Thanks!
« Last Edit: August 31, 2011, 08:20:30 am by kkm »