In dire need of direction
-
Can you enable logging for the rule which allows access to the server?
If traffic passes the pfSense it should show up in the log.Could you show screenshots of the things i asked before?
It's a lot more clear what you actually have configured than describing it with words.
(You always could have something missconfigured) -
of course…i can do that...give me a few. i enabled logging and will post screenies. give me 10 mins pls
-
ok i took a few screenshots - hope this is what u need. they are here:
http://www.mediafire.com/?sharekey=54889a0ecb9cd83767cd7f7bd65f7eef7164ba55e3786784e04f31aacf568dab
also, this was in my system log…first time ive seen an entry like this that refers to the public static ip of the server. (x72) in the firewall log nothing is reported to the 72 address...only the 69 which is the address of the pf sense
log:
kernel: arp: x.x.x.x.172 is on re0 but got reply from 00:24:1d:b5:4c:41 on nfe0 -
There dont seem to be any files in the link you posted.
You can simply attach jpegs or gifs here in the forum in a normal post.The logentry you posted means that an ARP-entry for an IP/MAC pair exists for an interface, but traffic for this was received on another interface.
Which interfaces are re0 and nfe0? -
sorry about that. nfe0 is the wan and re0 is the lan.
here are screens. this is of the nat settings.
-
and the rule screen:
one of the overview and one of the config. which else do you need?
hopefully they are legible enough for you…lemme know if not.
-
Ok i get it - regarding the log that you explained. that was just me trying to access the server from within my lan, right? so i need to create a rule that allows this. still though, cannot explain why it cannot be accessed from outside the lan. thanks in advance for your help
-
Did you per chance create the VIP on the LAN interface?
This would be consistant with the ARP message you got. -
I dont think so - here is a screenshot of my virtual ip creation.
-
I gather it is not something glaring then, given it didnt jump out at you?
Perhaps you can, if you dont mind, summarizing the necessary steps one should take to accomplish this…maybe I can understand it better and the problem will come out.
ie: Goal is to have 2 subnets, on one interface. One subnet (subnet1) is for internal lan/pcs/home network. Other subnet (subnet2) is for webserver. Webserver is nat'd with public static ip. the other static ip is shared by all other pcs on subnet 1. subnet 1 can access the servers, but the server subnet can only respond to requests from subnet 1 - otherwise they cannot access the internal LAN.
So to do so, I just need to understand the steps one should take to achieve this.
a. Setup subnet 1 - do x,y,z
b. etc, etc.I am sure this would be of help to someone in the future. I will definitely be writing something up once I get this figured out...hopefully soon.
Thanks again,
-
You missconfigured your VIP.
You've set as subnet /32 but it should be the netmask of the real interface.
( the note there tellling you this is not just a joke) -
OMG. Yes, i have been staring at this too long.
Stay tuned…I am sure that was the problem. Youre a life saver.
