OPNsense Forum

Hi,

I have a setup where I have port forwarding setup for port 443 to my reverse proxy on one of my vlans.

The thing is that when my host send a request to the port 443 my WAN address, half of the time I get the request, half of the time I get connection refused.

It goes like this:

✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account #works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account # works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account #works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account # works

Basically, every other request goes through.

When the connection is refused, I see a blue line log on firewall where the label says "rdr rule".

What can I do to fix this?

Does auth.mydomain.com resolve to two different IP addresses?

nope!

host auth.mydomain.com
auth.med-lo.eu has address XX.XX.XX.XX <--- my wan address

I just realized now that this applies to all traffic to port 443 originating from the same vlan.

In short: when sending a request to port 443 of my WAN address from any host in the vlan where the port forwarding rule to port 443 sends traffic to, this happens. Half of requests goes through, half doesn't.

Is this a bug? Is there a way where I can override this behavior?

Maybe hitting OPN UI intermittently. Did you disable the UI redirection on the port 443?

yes, it is disabled, and I use another port for the UI.

So you are testing from an inside VLAN, not from the outside. I didn't get that from the first post.
I would try changing the reflection setting in the nat:port-forward rule. I'm not 100% on that setting but I had trouble with a rule and had to change reflection from default to disabled. It fixed my problem but I can't explain it.

It doesn't help - if I disable it, I get no traffic at all from my vlan that is sent to WAN at port 443.

Things I tried so far:

- access from another host on the same vlan: same problem
- use another server instead of nginx, on another port: same problem
- disable nat reflector on the 443 port forwarding: no traffic from my vlan goes through, only external traffic.

This is not a solution, but overriding the hostname internally via DNS seems to solve the issue. But I'd rather not do it since I'd have to do it for every domain name.