Port Forward issue (port 443) is getting me crazy

[alexdelprete]

I'm using a Port Forward rule for ports 80/443 that redirects traffic to my homelab's internal Traefik instance.

This has worked perfectly for last 2y. All of the sudden, 2 days ago I was receiving alerts from my cloud uptime-kuma instance that port TCP/443 was not reachable from the internet anymore.

I started debugging, and with the live log viewer I can see traffic coming in on port 80, but when I test port 443 from the internet, I see no log entries of traffic coming in.

I thought it could be the SFP or something "before" OPNsense that is blocking the traffic (it's a PPPoE FTTH connection), but after rebooting the ONT/SFP I still see no traffic coming in port TCP/443 on OPNsense.

Since I was getting crazy, I even rebooted the core LAN switch, to no effect.

I hope someone can point me to a way to debug this, I'm not sure it's OPNsense, because if it was I should at least see traffic in the logs. I can't understand why I see it on all ports except for 443.

I have many port fowarding rules for various services and they're working fine, and I can see traffic in live log for those, but nothing for port TCP/443. One thing to note: port UDP/443 works, I can see traffic coming in there.

Thanks for any help on this...it's driving me crazy.

[CJ]

What happens when you run a packet capture on WAN?  Do you see anything coming in on 443/tcp?

Another thing to check is verify that it's actually a firewall issue and not an SSL problem.  Do a client side packet capture when trying to hit 443/tcp and see if you get any response back.

[Saarbremer]

Hi,

did you restart OPNsense, too?

If nothing arrives at your WAN IF you could be blocked by your ISP. Can you safely rule out this scenario? Hence a packet capture on WAN would be very interesting.

Regarding port 80 it is working fine on the whole path to your internal traefik install?

[alexdelprete]

What happens when you run a packet capture on WAN?  Do you see anything coming in on 443/tcp?

Another thing to check is verify that it's actually a firewall issue and not an SSL problem.  Do a client side packet capture when trying to hit 443/tcp and see if you get any response back.

Hi, and thanks for answering.

1. I did WAN_FTTH traffic capture, no signs of packets on 443. :(
2. I thought about a failing SSL handshake, but in that case, I should still see packets coming in the WAN_FTTH interface, or am I wrong about this?

[alexdelprete]

did you restart OPNsense, too?

If nothing arrives at your WAN IF you could be blocked by your ISP. Can you safely rule out this scenario? Hence a packet capture on WAN would be very interesting.

Regarding port 80 it is working fine on the whole path to your internal traefik install?

Hi, and thanks for answering my post. I appreciate any help.

1. ISP: yes, I sent an email to my ISP yesterday, because I thought that if I don't see anything coming in on the WAN_FTTH (it's a PPPoE connection with an SFP) then it means something before OPNsense is filtering it.

2. I can't fully test port 80 because Traefik upgrades HTTP to HTTPS, and if 443 doesn't work, that fails.

[alexdelprete]

I finally received a reply from the ISP: they filtered port 443 three days ago because of an attack on their network, and they didn't send any email. I complained about the lack of notification obviously.

Sorry to have bothered anyone, I shouldn't doubt OPNsense reliability anymore. It was really strange that a rule config working for 2y all of the sudden stopped working. Should've checked the ISP first, and I wouldn't have lost all this time debugging the issue.

Thanks to the people that tried to help, it's highly appreciated.

[Saarbremer]

Thanks for the status update.

Regarding port 80 (HTTP) vs port 443 (HTTPS) you should(*) see some traffic on port 80 going in and out. Usually a HTTP redirection is sent back to the client that points to HTTPS.

(*) Not every browser starts with HTTP but with HTTPS immediately. Hence, you might need to enforce http:// in order to test this.

[alexdelprete]

Thanks for the status update.

Regarding port 80 (HTTP) vs port 443 (HTTPS) you should(*) see some traffic on port 80 going in and out. Usually a HTTP redirection is sent back to the client that points to HTTPS.

(*) Not every browser starts with HTTP but with HTTPS immediately. Hence, you might need to enforce http:// in order to test this.

I use https://httpstatus.io to test, and when testing port 80 I obviously specified http:// while testing 443 I used https://.

As I wrote in OP, I could see traffic in live log for port 80, but not for port 443. That should've let me point immediately to ISP first, but I started doubting OPNsense config, and I spent many hours for 2 days without results. :(

[unicomaz]

I can access port 80 now but not 443 from out side, though same rule copied and just changed the port to 443.

WAN  TCP    *   *   WAN address   80 (HTTP)    192.168.0.18   80 (HTTP)           WEBSERVER      
WAN     TCP  *   *   WAN address     443 (HTTPS)    192.168.0.18   443 (HTTPS)   WEBSERVER

[viragomann]

Does your OPNsense web GUI listen on port 443 by any chance?

Check out System: Settings: Administration >  TCP port.

[thecrankygamer]

Does your OPNsense web GUI listen on port 443 by any chance?

Check out System: Settings: Administration >  TCP port.

This is 100% it, i moved gui to 449 to accomodate 443 forwarding