Can't see my internal computers
-
If you want to ping an internal machine you have to setup 1:1 NAT on your VIP's. You can only NAT ICMP when using 1:1.
First things first though, if you can't ping your WAN IP from the Internet you need to fix that first. You sure you setup your WAN rule properly to allow pings? Do you see them getting dropped in your firewall log?
-
I have been testing the Comcast SMC modem and it appears to be working well. I am able to get out with a laptop configured with one of the static IPs. I will start over with pfSense and see what I can come up with.
Thanks for all your suggestions.
-
I have re-installed pfSense and reconfigured it. I am able to get to the internet by browsing from my lan. I setup Nat Port forward to an internal web server using 1 VIP with Proxy ARP. I also setup a rule allowing ICMP for ping checking. I set it up open as can be.
I still cannot ping the WAN gateway address which is one of my static IPs 74.92.221.217 or get access to my internal web server from the outside.
I must be doing something wrong or have a hardware problem.
Any ideas for troubleshooting would be appreciated.
-
Post your NAT configuration and firewall rules.
-
Here are my settings as minimal as they are
-
that looks fine. what about the VIP screen?
Also, edit the HTTP pass rule and enable logging, and apply changes. Then when you try to access the server from outside your network, does it log anything?
-
Some ISPs block common ports like HTTP to prevent users from hosting servers. Make sure HTTP is not filtered already before it reaches your box.
-
I changed the logging settings and I tried pinging to 74.92.221.221 and browsing to it. No Luck
I did notice that 65.44.99.212:1494 is the outside Citrix box I am using to test my connections
![Firewall log.jpg](/public/imported_attachments/1/Firewall log.jpg)
![Firewall log.jpg_thumb](/public/imported_attachments/1/Firewall log.jpg_thumb)
[Firewall log.txt](/public/imported_attachments/1/Firewall log.txt) -
I can hit TCP 21 (FTP, normally) on that IP? A connect to the port isn't answered with anything. It seems like the pfsense FTP proxy is listening on that IP? I'm not sure how that can happen, if it is indeed the case.
With logging enabled on the HTTP pass rule, do you get logged entries when attempting from outside?
The firewall showing that dropped traffic is either normal (out of state traffic), or if you're not running 1.2b it could be excessive and was fixed in 1.2b.
-
How can you tell that you are getting an answer of TCP 21?
I am including my WAN Configuration as well as an image of the System Log while I have pinged the WAN ip of 74.92.221.217 and tried to access my Web server at 74.92.221.221. It doesn't tell me anything, but I am not sure what to look for.
-
Why are you seeing ARP on both sides as if they're on the same broadcast domain? Are you bridging interfaces, or are they actually plugged into the same broadcast domain?
nmap told me TCP 21 was open (I scanned that public IP to see if there was anything open).
I can verify a connect with telnet.
[cmb@ws0 ~]$ telnet 74.92.221.221 21 Trying 74.92.221.221... Connected to 74-92-221-221-colorado.hfc.comcastbusiness.net. Escape character is '^]'. Connection closed by foreign host.
It eventually times out, the way it's acting is the same way the pfsense FTP proxy acts.
If you enabled logging on your HTTP pass rule, you should see passed traffic logged when you attempt to access your web server from outside. If you don't see passed traffic getting logged, your HTTP requests aren't getting to your firewall.
-
These results from the system log seem like they might indicate an issue.
May 6 13:32:23 kernel: arp: 10.0.1.45 is on fxp0 but got reply from 00:07:e9:70:d0:5e on bge0
May 6 13:32:56 kernel: arp: 74.92.221.222 is on bge0 but got reply from 00:13:f7:46:4a:69 on fxp010.0.1.45 is a local Lan based computer and is looking at the WebGui of pfsense. fxp0 is the LAN interface and bge0 is the WAN interface and 74.92.221.222 is the Comcast supplied gateway.
I can now ping the WAN ip 74.92.221.217 but I still can not ping or browse vip 74.92.221.221 which is natted to web server on inside.
-
I think I solved the system Log issue. The SMC modem allows for additional ethernet connection and I had it plugged into the LAN. Sense I removed that connection, there is no longer an error message in the System log.
Still no luck on the NAT issue.
-
These results from the system log seem like they might indicate an issue.
Yes, that's why I asked about the ARP messages… If you stopped ignoring what I'm asking you, you'd probably have this fixed already.
AGAIN, you WILL NOT be able to ping the VIP as you don't have it 1:1 NAT'ed. You should only be able to access HTTP on it given your config. For I think the 3rd time now, what happens when you enable logging on the HTTP pass rule and try to access HTTP from the outside?
-
I am not ignoring you. I just am trying to do what seems right. I have the logging turned on and I am not getting anything on the logs.
Is the only thing I need to do is turn it on in the rules?
-
Just to try it, why don't you use 218 as a VIP instead of 221? (The traceroutes look slightly odd from here)
Also, static a laptop or something with the 221 public. Power cycle the modem, then connect it directly in place of pfSense. It would be interesting to see if you could ping that… -
I did what you suggested and put a laptop on the modem with 74.92.221.221 and I can ping it.
I also changed the VIP to 74.92.221.218 and tried to access my server from the out side and still no luck. I am challenged.
-
Just to try what cmb suggested I have deleted the port forward nat and created a 1-1 Nat as shown below. Still can not ping or access VIP 74.92.221.218 I am going to contact Comcast and see of they see anything. I did cycle the modem after making the mods.
Interface External IP Internal IP Description
WAN 74.92.221.218/32 10.0.1.134/32 -
Comcast can see the WAN ip and can see the MAC address of the Nic. Does any one have any ideas about what could interfere with the NAt process.
It seems like the translation of the addresses could be the problem, but you would think it would show up in the logs some where.
Any Ideas?
-
Ok, if they can see the MAC, your VIP is working, assuming the MAC they're seeing is the pfsense one and not the laptop you were using. But you aren't getting anything in the logs, so for some reason the HTTP traffic still isn't getting to you.
Enable SSH, SSH into a shell prompt, and run tcpdump on that VIP by running:
tcpdump -i fxp0 src or dst 74.92.221.221
replacing fxp0 with whatever your WAN interface is and attempt to access http://74.92.221.221 from the Internet. See anything?
-
With your current setup, your LAN ip range is 10.0.1.0/24, correct? Did you change the lan from the default the Comcast unit comes with which is usually 10.1.10.0/24 ?
Do you mind posting your LAN and WAN rules for us to see? Personally, when I have a Comcast setup with 5 ip's more as you do (/29 subnet), I like to use a subnet of something other than the default 10.1.10.x network that the SMC Barricade units for Comcast comes with. Granted, the ip you listed is slightly different, thus my reason for wanting to know. Afterwards, with all the rules properly in place, accessing 1:1 ip's from the outside via their static ip's are quite simple and work well.
OK, a few more things as well (after reading some more about your situation here):
You went and deleted and recreated a new 1:1 NAT rule, which we assume is working. To verify, can the webserver in question get out to the Internet? If so, have you verified that it has the static ip you want? Go and visit a site like http://www.ipchicken.com to verify. If that works, then go and delete your port-forward rules you created for port 80 and re-create them. However, one big item to note: Only create the rule from the RULES–-> WAN section, as there is no need to create a NAT port-forward here. The rule should be:
TCP * * 10.0.1.134 80(HTTP) *
With that in place, test from a computer on the outside and see what happens. Add the logging item if you wish to see if it is successfully being hit.
Just let us know some more info.......... Good luck!
-
I feel like a dunce. I was away from my office and just got back. I looked at the postings and the last one triggered a new thought. I am trying to migrate from ipcop as well as moving from cbeyond. I looked at the ipchicken page and all of a sudden I realized that the default gateway for the internal box was still using the ipcop gateway. Once I changed the gateway from 10.0.1.2 to 10.0.1.3 (the new gateway) everything worked.
I want to thank everyone who posted on this most profusely. I feel like a huge weight has been lifted off of my shoulders.
I wish I was a little more savvy about all the networking issues, but I guess trial by fire is the way I learn.
Thanks again.
Andy