Can't see my internal computers
-
Reset upstream modems, etc. Most likely a arp being held somewhere.
-
I rebooted both modems and still no success.
I setup a WAN rule so I could Ping my WAN interface and I have not been able to ping it. I can ping the public gateway with success. I also cannot ping any of my my VIPs.
Do I have to setup a rule for each VIP if I want to Ping a Natted internal computer?
-
Something isn't adding up…
Go to system, advanced and check the box for 'Disable Firewall'
If you can't ping the WAN from the Internet but you can ping the gateway (forward router) from the Internet, you have trouble with the provider router, or a basic connectivity issue. Verify the config on the provider equipment- they often turn on nat, firewall, etc. Can you put one of the public IP's you are using as VIPs on a laptop and ping that from the Internet? -
If you want to ping an internal machine you have to setup 1:1 NAT on your VIP's. You can only NAT ICMP when using 1:1.
First things first though, if you can't ping your WAN IP from the Internet you need to fix that first. You sure you setup your WAN rule properly to allow pings? Do you see them getting dropped in your firewall log?
-
I have been testing the Comcast SMC modem and it appears to be working well. I am able to get out with a laptop configured with one of the static IPs. I will start over with pfSense and see what I can come up with.
Thanks for all your suggestions.
-
I have re-installed pfSense and reconfigured it. I am able to get to the internet by browsing from my lan. I setup Nat Port forward to an internal web server using 1 VIP with Proxy ARP. I also setup a rule allowing ICMP for ping checking. I set it up open as can be.
I still cannot ping the WAN gateway address which is one of my static IPs 74.92.221.217 or get access to my internal web server from the outside.
I must be doing something wrong or have a hardware problem.
Any ideas for troubleshooting would be appreciated.
-
Post your NAT configuration and firewall rules.
-
Here are my settings as minimal as they are
-
that looks fine. what about the VIP screen?
Also, edit the HTTP pass rule and enable logging, and apply changes. Then when you try to access the server from outside your network, does it log anything?
-
Some ISPs block common ports like HTTP to prevent users from hosting servers. Make sure HTTP is not filtered already before it reaches your box.
-
I changed the logging settings and I tried pinging to 74.92.221.221 and browsing to it. No Luck
I did notice that 65.44.99.212:1494 is the outside Citrix box I am using to test my connections
![Firewall log.jpg](/public/imported_attachments/1/Firewall log.jpg)
![Firewall log.jpg_thumb](/public/imported_attachments/1/Firewall log.jpg_thumb)
[Firewall log.txt](/public/imported_attachments/1/Firewall log.txt) -
I can hit TCP 21 (FTP, normally) on that IP? A connect to the port isn't answered with anything. It seems like the pfsense FTP proxy is listening on that IP? I'm not sure how that can happen, if it is indeed the case.
With logging enabled on the HTTP pass rule, do you get logged entries when attempting from outside?
The firewall showing that dropped traffic is either normal (out of state traffic), or if you're not running 1.2b it could be excessive and was fixed in 1.2b.
-
How can you tell that you are getting an answer of TCP 21?
I am including my WAN Configuration as well as an image of the System Log while I have pinged the WAN ip of 74.92.221.217 and tried to access my Web server at 74.92.221.221. It doesn't tell me anything, but I am not sure what to look for.
-
Why are you seeing ARP on both sides as if they're on the same broadcast domain? Are you bridging interfaces, or are they actually plugged into the same broadcast domain?
nmap told me TCP 21 was open (I scanned that public IP to see if there was anything open).
I can verify a connect with telnet.
[cmb@ws0 ~]$ telnet 74.92.221.221 21 Trying 74.92.221.221... Connected to 74-92-221-221-colorado.hfc.comcastbusiness.net. Escape character is '^]'. Connection closed by foreign host.
It eventually times out, the way it's acting is the same way the pfsense FTP proxy acts.
If you enabled logging on your HTTP pass rule, you should see passed traffic logged when you attempt to access your web server from outside. If you don't see passed traffic getting logged, your HTTP requests aren't getting to your firewall.
-
These results from the system log seem like they might indicate an issue.
May 6 13:32:23 kernel: arp: 10.0.1.45 is on fxp0 but got reply from 00:07:e9:70:d0:5e on bge0
May 6 13:32:56 kernel: arp: 74.92.221.222 is on bge0 but got reply from 00:13:f7:46:4a:69 on fxp010.0.1.45 is a local Lan based computer and is looking at the WebGui of pfsense. fxp0 is the LAN interface and bge0 is the WAN interface and 74.92.221.222 is the Comcast supplied gateway.
I can now ping the WAN ip 74.92.221.217 but I still can not ping or browse vip 74.92.221.221 which is natted to web server on inside.
-
I think I solved the system Log issue. The SMC modem allows for additional ethernet connection and I had it plugged into the LAN. Sense I removed that connection, there is no longer an error message in the System log.
Still no luck on the NAT issue.
-
These results from the system log seem like they might indicate an issue.
Yes, that's why I asked about the ARP messages… If you stopped ignoring what I'm asking you, you'd probably have this fixed already.
AGAIN, you WILL NOT be able to ping the VIP as you don't have it 1:1 NAT'ed. You should only be able to access HTTP on it given your config. For I think the 3rd time now, what happens when you enable logging on the HTTP pass rule and try to access HTTP from the outside?
-
I am not ignoring you. I just am trying to do what seems right. I have the logging turned on and I am not getting anything on the logs.
Is the only thing I need to do is turn it on in the rules?
-
Just to try it, why don't you use 218 as a VIP instead of 221? (The traceroutes look slightly odd from here)
Also, static a laptop or something with the 221 public. Power cycle the modem, then connect it directly in place of pfSense. It would be interesting to see if you could ping that… -
I did what you suggested and put a laptop on the modem with 74.92.221.221 and I can ping it.
I also changed the VIP to 74.92.221.218 and tried to access my server from the out side and still no luck. I am challenged.