SG-2100 23.01 update failed
-
@stephenw10 said in SG-2100 23.01 update failed:
Most of those are outside that range.
Try running ps -auxwwd on the firewall and see if it shows you what has started those services.All these :
is not on pfSense.
It's a PC (called AlienwareLaptop) connecting it's LAN IP to 127.0.0.1 or the other way around.
IMHO, the image doesn't show anything that involves pfSense. -
What do you see in /var/etc/xinetd.conf?
cat /var/etc/xinetd.conf -
@stephenw10 said in SG-2100 23.01 update failed:
What do you see in /var/etc/xinetd.conf?
This is a long list and all of them I assume is my laptop (127.0.0.1) -- bitdefender anti virus I assume. Since the list is pretty big here is the linke
-
@netboy 127.0.0.1 is a loopback address that means "myself"...so it depends where you are running the commands. On pfSense that would be pfSense. On your laptop, your laptop.
What is 172.16.0.30?
-
Hmm the fact it starts at port 80 makes me think that could be config error. It's quite common to see a range entered incorrectly like 80-443 when that should be just ports 80 and 443.
-
@steveits said in SG-2100 23.01 update failed:
What is 172.16.0.30?
172.16.0.30 is tied to my external domain - run some applications....
-
-
@steveits said in SG-2100 23.01 update failed:
@netboy 127.0.0.1 is a loopback address that means "myself"...so it depends where you are running the commands. On pfSense that would be pfSense. On your laptop, your laptop.
-
Yeah you almost certainly don't want all those ports forwarded. If you need several ports you should create a ports alias and then use that in the rule instead.
I imagine you have NAT reflection enabled specifically in the rule too. That's what's creating the xinetd entries. I would remove that too unless you really need it.Steve
-
@stephenw10
My external domain points to 172.16.0.30 port 80(http) and 443(https). I access this from outside like https://subdomain.mydomain.com.
I guess I need to open this port to access https://subdomain.mydomain.com?Is this correct?
Should I disable NAT Reflection?
-
No. You can only enter one port there or an alias that has multiple ports.
If you only need 2 ports forwarding just make one port forward for each port.
-
@stephenw10
My understanding is create 2 entries - As an example for 80
And do the above one for 443 as well
And for both NAT reflection must be enabled I guess (to access from outside) - kindly confirm
-
Yes. Though you can just put 'http' in both from and to port fields, port 80 is the http port.
NAT reflection allows internal clients to access the resource using the external destination. It's not required for access from external clients.
Steve
-
@stephenw10
I disabled NAT reflection and this is how it looks now
However now if I enter https://mysubdomain.mydomain.com I see pfsense login not 172.16.0.30?
I want https://mysubdomain.mydomain.com to point to 172.16.0.30
Any changes I must do to accomplish this?
-
@netboy Presumably you're testing from inside the network if disabling it changes anything. ("not required for access from external clients")
Consider split DNS:
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#split-dns
Or just use reflection as discussed on that page. -
@steveits You are right.....
When I used tor browser .....https://subdomain.mydomain.com points to 172.16.0.30!!
All good - Thanks a ton
cat /var/etc/xinetd.conf output is blanks
-
Yeah, if you need to access the resources from inside using the external URL it's better to use split DNS:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html#method-2-split-dns
But if you need to use NAT reflection you can almost always use PureNAT mode rather than NAT+Proxy. PureNAT mode does not use xinetd (nc) instances.Steve
-
@stephenw10 PureNAT did it ! Thank you
