Pfsense stopped forwarding 443 out of the blue

Hi all,

So today I had an interesting event. I have 2 pfsense boxes, 2 connections, both running 2.5.2.

One of my users, called me this morning reporting that their HTTPS site on standard port wasn’t working (happened to be a windows server). After significant testing assuming the box (it is Microsoft after all lol) was the problem and eventually moving their site to another port 8081 (which they also had already open and pointing to a new server that they were testing) they were back in service with the old server on the new port. This worked for them for now because of how they do the redirect’s for their users.

However the port 443 problem still exists. So I took a look at my other firewall, and to my surprise it too has the same issue. Port 80 is fine, but port 443 wasn’t working. If I tried to connect remotely, I got a weird no route to host error from openssl, but it is obviously working because regular http works. This time this going to my personal linux box so definitely not an os issue.

These were both working and have been working for months and months.

So i tried to shake it loose (I’m still not sure if it’s a firewall rule issue or a nat issue, or something else except that both of them are 1-to-1 nats so in theory it should be an all or nothing thing). I’ve tried changing firewall rules, adding and removing logging on the https rule, a filter reload, a wan interface reset. Nothing seems to help… The only thing that did help was a complete reboot of the firewall.

I should note that only port 443 seems to be affected. Across both connections there are other ports, http, vpn, mail, dns etc etc that were not impacted. Even the HTTPS running on an alternate port 8081 was fine, seemed to only be 443. Oh and the firewalls have had their https ports moved to port 5000 (although the management was not on that particular wan ip anyway so shouldn’t have mattered)

I’m curious if anyone has seen this before, and if anyone has any other tricks that I might try the next time this happens (I’m assuming it’s going to happen again since I haven’t actually fixed anything). Anything else I could reset/reload without kicking the entire box?

Thanks !

This is a massive log shot that probably won’t be the problem considering all of the mail ports and http port is fine but some isp’s allow you to block ports with them (at least aussie broadband in Australia does) and there’s a chance isp’s do what they do and break things.
Probably isant the problem but there is a very slight chance it could be it.

I have only seen this issue when the web management interface or some other service is also using that port.

Thanks for the reply, I had thought of that. The only reason I discounted it was that it was happening on two different connections and rebooting the pfsense boxes in both cases fixed the issue. But yes, before I did the reboot that definitely was running around in my head as a distinct possibility.

Thanks Tom, good point. Since I moved the management port (even though it’s on a different ip) I’m discounting it, but I’ll have to pick through the rest of the modules to see if I can find something that might be using 443. Of course both devices have basically all the same modules installed so I can’t rule some out as being not common across them.