Can't see my internal computers
-
These results from the system log seem like they might indicate an issue.
May 6 13:32:23 kernel: arp: 10.0.1.45 is on fxp0 but got reply from 00:07:e9:70:d0:5e on bge0
May 6 13:32:56 kernel: arp: 74.92.221.222 is on bge0 but got reply from 00:13:f7:46:4a:69 on fxp010.0.1.45 is a local Lan based computer and is looking at the WebGui of pfsense. fxp0 is the LAN interface and bge0 is the WAN interface and 74.92.221.222 is the Comcast supplied gateway.
I can now ping the WAN ip 74.92.221.217 but I still can not ping or browse vip 74.92.221.221 which is natted to web server on inside.
-
I think I solved the system Log issue. The SMC modem allows for additional ethernet connection and I had it plugged into the LAN. Sense I removed that connection, there is no longer an error message in the System log.
Still no luck on the NAT issue.
-
These results from the system log seem like they might indicate an issue.
Yes, that's why I asked about the ARP messages… If you stopped ignoring what I'm asking you, you'd probably have this fixed already.
AGAIN, you WILL NOT be able to ping the VIP as you don't have it 1:1 NAT'ed. You should only be able to access HTTP on it given your config. For I think the 3rd time now, what happens when you enable logging on the HTTP pass rule and try to access HTTP from the outside?
-
I am not ignoring you. I just am trying to do what seems right. I have the logging turned on and I am not getting anything on the logs.
Is the only thing I need to do is turn it on in the rules?
-
Just to try it, why don't you use 218 as a VIP instead of 221? (The traceroutes look slightly odd from here)
Also, static a laptop or something with the 221 public. Power cycle the modem, then connect it directly in place of pfSense. It would be interesting to see if you could ping that… -
I did what you suggested and put a laptop on the modem with 74.92.221.221 and I can ping it.
I also changed the VIP to 74.92.221.218 and tried to access my server from the out side and still no luck. I am challenged.
-
Just to try what cmb suggested I have deleted the port forward nat and created a 1-1 Nat as shown below. Still can not ping or access VIP 74.92.221.218 I am going to contact Comcast and see of they see anything. I did cycle the modem after making the mods.
Interface External IP Internal IP Description
WAN 74.92.221.218/32 10.0.1.134/32 -
Comcast can see the WAN ip and can see the MAC address of the Nic. Does any one have any ideas about what could interfere with the NAt process.
It seems like the translation of the addresses could be the problem, but you would think it would show up in the logs some where.
Any Ideas?
-
Ok, if they can see the MAC, your VIP is working, assuming the MAC they're seeing is the pfsense one and not the laptop you were using. But you aren't getting anything in the logs, so for some reason the HTTP traffic still isn't getting to you.
Enable SSH, SSH into a shell prompt, and run tcpdump on that VIP by running:
tcpdump -i fxp0 src or dst 74.92.221.221
replacing fxp0 with whatever your WAN interface is and attempt to access http://74.92.221.221 from the Internet. See anything?
-
With your current setup, your LAN ip range is 10.0.1.0/24, correct? Did you change the lan from the default the Comcast unit comes with which is usually 10.1.10.0/24 ?
Do you mind posting your LAN and WAN rules for us to see? Personally, when I have a Comcast setup with 5 ip's more as you do (/29 subnet), I like to use a subnet of something other than the default 10.1.10.x network that the SMC Barricade units for Comcast comes with. Granted, the ip you listed is slightly different, thus my reason for wanting to know. Afterwards, with all the rules properly in place, accessing 1:1 ip's from the outside via their static ip's are quite simple and work well.
OK, a few more things as well (after reading some more about your situation here):
You went and deleted and recreated a new 1:1 NAT rule, which we assume is working. To verify, can the webserver in question get out to the Internet? If so, have you verified that it has the static ip you want? Go and visit a site like http://www.ipchicken.com to verify. If that works, then go and delete your port-forward rules you created for port 80 and re-create them. However, one big item to note: Only create the rule from the RULES–-> WAN section, as there is no need to create a NAT port-forward here. The rule should be:
TCP * * 10.0.1.134 80(HTTP) *
With that in place, test from a computer on the outside and see what happens. Add the logging item if you wish to see if it is successfully being hit.
Just let us know some more info.......... Good luck!
-
I feel like a dunce. I was away from my office and just got back. I looked at the postings and the last one triggered a new thought. I am trying to migrate from ipcop as well as moving from cbeyond. I looked at the ipchicken page and all of a sudden I realized that the default gateway for the internal box was still using the ipcop gateway. Once I changed the gateway from 10.0.1.2 to 10.0.1.3 (the new gateway) everything worked.
I want to thank everyone who posted on this most profusely. I feel like a huge weight has been lifted off of my shoulders.
I wish I was a little more savvy about all the networking issues, but I guess trial by fire is the way I learn.
Thanks again.
Andy