pfSense Gold Subscription

Author Topic: Accessing any of my Virtual IPs redirects you to the Pfsense 2.0.1 login page?  (Read 2206 times)

0 Members and 1 Guest are viewing this topic.

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
 ??? Am trying to troubleshoot an odd issue and was hoping someone might be able to assist.

1.) My ISP has provided a block of (5) static IPs (25.x.x.100, 25.x.x.101, 25.x.x.102, 25.x.x.103, 25.x.x.104)

2.) First, I assigned the first static IP to pfsense WAN interface under Interfaces > WAN as 25.x.x.100/24 (and added my ISP's gateway IP)

3.) My pfsense router has a LAN IP of 192.168.0.1, subnet mask 255.255.255.0 and assigns internal addresses using DHCP
Am running snort without issue.  Squid was installed at one point, but I uninstalled it along with squidguard, lightsquid and havp.

4.) I've created Virtual IPs for each of my static IPs as (Type: IP Alias):
25.x.x.100/24, 25.x.x.101/24 thru 25.x.x104/24

5.) I then assigned the next available static IP to my home server using Firewall:NAT: 1:1 setup as follows: 25.x.x.101/24 to 192.168.0.100 (server DHCP static lease IP)

6.) Next, I went into Firewall > Rules > WAN and create a new rule to pass HTTPS (port 43) traffic coming into 25.x.x.101 to 192.168.0.100
ACTION: Pass
Interface: WAN
Protocol: TCP
Source: any
Destination: single host or alias - address: 192.168.0.100
Destination port range: HTTPS to HTTPS

Now, if I attempt to connect any client PC on my LAN to to the internet address of my server box (192.168.0.100) using the url: https://25.x.x.101, I am immediately redirected to the  pfsense web login page as if I had pointed to https://25.x.x.100 though the URL in the address bar itself doesn't change to https://25.x.x.100.

Under System > Advanced > Firewall/NAT, my NAT setting are:

Disable NAT reflection for port forwards: UNCHECKED
Disable NAT reflection for 1:1 NAT: UNCHECKED
Automatically create outbound NAT rules which assist...: UNCHECKED

From another machine out on the internet, I am able to successfully browse to https://25.x.x.101 and be forwarded to my internal server 192.168.0.100.  My goal was to be able to access 192.168.0.100 from behind the pfsense firewall using it's static WAN IP of 25.x.x.101.

Any assistance that someone could provide would be sincerely appreciated.  Thank you!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
You need two more steps:

  • Change pfsense gui o any port other then 443
  • Create an outbound nat rule forcing sourcenat to firewall lan ip when talking to 192.168.0.100
« Last Edit: January 07, 2012, 08:42:08 pm by marcelloc »

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
You need two more steps:

  • Change pfsense gui o any port other then 443
  • Create an outbound nat rule forcing sourcenat to firewall lan ip when talking to 192.168.0.100


thanks marcelloc!  OK, as you've recommended, I've changed pfsense admin UI from HTTPS 443 to 563.

RE: #2, would you please explain how to do this? here are my current Firewall > NAT > Outbound rules.

http://postimage.org/image/jo4o84u5n/

Right now if i ping mypc.server.com from behind pfsense, it correctly returns 25.x.x.101.  But, from behind pfsense, if I enter https://mypc.server.com, it is not directing me to 25.x.x.101 and ultimately LAN IP 192.168.0.100.
« Last Edit: January 07, 2012, 11:05:04 pm by miles267 »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
The best way to fix this is having an external dns for internet and a internal dns that returns server ip instead of firewall wan ip.


but

if you do not care about server logs, the outbound nat rules be this way

interface lan
source *
source port *
destination server_ip
destination port  server_port
nat address *
nat port *



« Last Edit: January 08, 2012, 09:14:40 am by marcelloc »

Offline miles267

  • Full Member
  • ***
  • Posts: 240
  • Karma: +0/-0
    • View Profile
Good news.  Was able to resolve this issue by ensuring that:

ADVANCED > FIREWALL/NAT

"Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from." is CHECKED.

Once CHECKED, I was able to access https://mypc.server.com (example address) from behind the firewall and I could access the site as if I too was on the internet.
« Last Edit: January 08, 2012, 02:17:23 pm by miles267 »