Pfsense NAT only any ports are working

Networking & Firewalls
1

Hi there,

First, thanks for you YT videos, they are great and that’s what guided me here because I’ve something I don’t get with my port forward configuration.
I’m currently trying to create a rule for my incoming traffic to be redirected to my haproxy. But nothing works as soon as I specify the destination port.
Here is my config:
interface: wan
protocol: tcp
source: alias with cloudflare IPs
source port: any to any
destination: wan
destination port: https to https
redirect: haproxy IP
redirect port: https

NAT reflection: system default (Pure NAT)
filter rule created.

With this config it’s not working, I do not reach the haproxy.
As soon as I change the config to
destination port: any to any
redirect port: any

It’s working like a charm.
I just don’t get it why nothing is working as soon as I specify a port.
I tried https, http, ssh. I also tried to redirect to a traefik despite the haproxy working. etc.

But here is my problem, I just want to open incoming to 443 for now.
This prevents me in a near future to open additional services for eg a FTP on 21 pointing to something else. etc.

And I’m also not really convinced it’s a good thing to have all port opened like that. at least for now I created an inverted rule to block everything not coming from cloudflare to mitigate the config.

Running on:
2.7.2-RELEASE (amd64)

Anyone has a clue?
thanks a lot

2

I don’t completely understand, are you trying to set this up with Cloudfare tunnels?

3

No tunnels, I just have the domains name on cloudflare with all the DNS, WAF, proxy stuff they offer.

4

So I know the IPs of my incoming traffic according to IP Ranges and that’s why I used an alias for the source restriction.

5

Maybe when you are going to your site it is using http. Have you tried to create an alias with both http and https? Otherwise you might want to setup a packet capture to see the full story on what is going on.

6

Thanks Maximus,

You put me on the right path. I managed to get it working.
It was coming from my settings in cloudflare.
I doubled checked the ssl settings on the domain and I saw that it was still on the flexible mode. Meaning
“Enable encryption only between your visitors and Cloudflare. This avoids browser security warnings, but all connections between Cloudflare and your origin are made through HTTP.”

Switching to a full mode on cloudflare solved my issue, it’s working now when I set the port to HTTPS in my port forrward rule.
Absolutely not a problem from pfsense but a chair-to-keyboard interface problem.

Thanks a lot for the help!

1 Like