Firewall – How to forward port 80 and 443 on pfSense to a (internal) nginx webserver

Yesterday we did a "big bang" firewall switch in our company. Our new firewall is a pfSense server.
Lets say our external ip is 84.1.1.1, pfSense is 192.168.1.1 and our web server ip is 192.168.1.2.

After we made the "big switch", the pfSense interface was responding on https://84.1.1.1, this is not intended as we want to use https://84.1.1.1 (port 443) for our web server. For this reason i changed the pfSense port from 443 to 444 which "solved" this issue as port 443 is "free" for other services now.

We won't allow access to the pfSense interface from our external ip at all but that is another problem which is off topic.

Now i wan to forward port 443, 80 (and in future some more) to servers in our network. For this i first want to explain how i configured the WAN connection as i noticed something.

I tried to ping (with the pfSense ping diagnostic tool) from WAN1 (our WAN) to the web server. This did not work which means that my port forwarding also cant work at all. I think that pfSense tries to resolve this ping request via its gateway so i tried to set the gateway of WAN1 to none and from this moment on i can ping the webserver from WAN1 (via the pfSense ping diagnose tool).

Question: Do i need to set a Gateway to our WAN1? I suppose yes? And if yes, do i need to make some exclusions for internal network somewhere? Just as extra info, maybe its required, we have a static IP which directly hangs on pfSense…

pfSense configuration

WAN INTERFACE
    <wan>
        <if>igb0</if>
        <descr><![CDATA[WAN1]]></descr>
        <alias-address></alias-address>
        <alias-subnet>32</alias-subnet>
        <spoofmac></spoofmac>
        <enable></enable>
        <ipaddr>84.1.1.1</ipaddr>
        <subnet>30</subnet>
        <gateway>WAN1GW</gateway>
    </wan>

GATEWAY
    <gateways>
        <defaultgw4>WAN1GW</defaultgw4>
        <defaultgw6></defaultgw6>
        <gateway_item>
            <interface>wan</interface>
            <gateway>84.1.1.2</gateway>
            <name>WAN1GW</name>
            <weight>1</weight>
            <ipprotocol>inet</ipprotocol>
            <descr><![CDATA[WAN1 gateway]]></descr>
        </gateway_item>
    </gateways>

OUTBOUND NAT RULES
    <nat>
        <outbound>
            <mode>advanced</mode>
            <rule>
                <source>
                    <network>10.128.10.0/24</network>
                </source>
                <sourceport></sourceport>
                <descr><![CDATA[Auto created rule for ISAKMP - AXN_INTRA to WAN1]]></descr>
                <target></target>
                <targetip></targetip>
                <targetip_subnet></targetip_subnet>
                <interface>wan</interface>
                <poolopts></poolopts>
                <source_hash_key></source_hash_key>
                <staticnatport></staticnatport>
                <disabled></disabled>
                <destination>
                    <any></any>
                </destination>
                <dstport>500</dstport>
                <created>
                    <time>1589543460</time>
                    <username><![CDATA[Manual Outbound NAT Switch]]></username>
                </created>
                <updated>
                    <time>1591883208</time>
                    <username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
                </updated>
            </rule>
            <rule>
                <interface>wan</interface>
                <source>
                    <network>10.128.11.0/24</network>
                </source>
                <dstport>500</dstport>
                <target></target>
                <destination>
                    <any></any>
                </destination>
                <staticnatport></staticnatport>
                <descr><![CDATA[Auto created rule for ISAKMP - AXN_SRV to WAN1]]></descr>
                <created>
                    <time>1589888715</time>
                    <username><![CDATA[Manual Outbound NAT Switch]]></username>
                </created>
                <disabled></disabled>
            </rule>
            <rule>
                <source>
                    <network>10.128.20.0/24</network>
                </source>
                <sourceport></sourceport>
                <descr></descr>
                <target></target>
                <targetip></targetip>
                <targetip_subnet></targetip_subnet>
                <interface>wan</interface>
                <poolopts></poolopts>
                <source_hash_key></source_hash_key>
                <destination>
                    <any></any>
                </destination>
                <updated>
                    <time>1590582795</time>
                    <username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
                </updated>
                <created>
                    <time>1590582795</time>
                    <username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
                </created>
            </rule>
            <rule>
                <source>
                    <network>10.128.10.0/24</network>
                </source>
                <sourceport></sourceport>
                <descr></descr>
                <target></target>
                <targetip></targetip>
                <targetip_subnet></targetip_subnet>
                <interface>wan</interface>
                <poolopts></poolopts>
                <source_hash_key></source_hash_key>
                <destination>
                    <any></any>
                </destination>
                <updated>
                    <time>1591883222</time>
                    <username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
                </updated>
                <created>
                    <time>1591883222</time>
                    <username><![CDATA[admin@10.128.10.29 (Local Database)]]></username>
                </created>
            </rule>
            <rule>
                <source>
                    <network>10.128.12.0/24</network>
                </source>
                <sourceport></sourceport>
                <descr><![CDATA[Default NAT rule for axn_cloud]]></descr>
                <target></target>
                <targetip></targetip>
                <targetip_subnet></targetip_subnet>
                <interface>wan</interface>
                <poolopts></poolopts>
                <source_hash_key></source_hash_key>
                <destination>
                    <any></any>
                </destination>
                <created>
                    <time>1589896652</time>
                    <username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
                </created>
                <updated>
                    <time>1590140198</time>
                    <username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
                </updated>
            </rule>
            <rule>
                <source>
                    <network>10.128.11.0/24</network>
                </source>
                <sourceport></sourceport>
                <descr><![CDATA[Default NAT rule for axn_srv]]></descr>
                <target></target>
                <targetip></targetip>
                <targetip_subnet></targetip_subnet>
                <interface>wan</interface>
                <poolopts></poolopts>
                <source_hash_key></source_hash_key>
                <destination>
                    <any></any>
                </destination>
                <created>
                    <time>1589888715</time>
                    <username><![CDATA[Manual Outbound NAT Switch]]></username>
                </created>
                <updated>
                    <time>1590140250</time>
                    <username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
                </updated>
            </rule>
        </outbound>
    </nat>

About the forwarding itself, i configured it like this:

as i set Filter rule association to Add associated filter rule during the creation of the Port forward, pfSense automatically created the corresponding/required firewall rule on the WAN1 port.

Question: Do i need some additional configurations to forward port 443 and 80 near the configuration i already did? (the port forward and creating the required firewall rules)

Best Answer

I run the same thing nginx on a different server that handout certificates to your services. First you need icmp echo reply configured because, for the dns provider to see you need that service and I use cloudns and they are good. Second on pfsense you need NAT configured to work and then 1:1 as well configured to allow the ports 80 and 443 to be open on your pfsense router. I will stop here for more info and I can give you pictures from my setup if it's easy this way. There are more steps to go through the configuration.

Best Answer

Related Solutions

Nat – can pfsense perform ipv6 nat (for outbound service redirection)

pfSense – Assign Public IP of /29 Block Directly to a Connected Device

Related Topic