[SOLVED] Need HEEELP! My server cannot be seen by the internet!
-
It's probably not necessary to reset everything but you can do it in Diagnostics: Factory defaults: if you need to.
Where are you at now?
Steve
-
Actually, I found out that I configured my DNS wrong, specifically my A host. I was supposed to use an @ symbol but instead I typed in "Comcast" assuming that I could name it whatever I want. But no, the A record has to have a freakin @ symbol :P ::) . So now I gotta wait for the correct settings to propogate. So perhaps it wasn't the firewall at all that was causing issues :o
-
That would also explain it!
You should be able to test the forwarding setup though by just using your WAN IP from outside your network instead of URL.Steve
-
Ok, now the "501: Potential Rebind DNS attack detected" error is back >:( God, what did I do wrong to you? :'( :'(
When I disable DNS rebinding checks, the URL takes me to the login of my pfSense device! What is going on?? Should I switch pfSense to a non-internet port? What should I change it to, and then how do I login to the device if I do so?
Tried enabling SSH, but that did no good. What I don't understand is that if I forwarded port 443 to 172.20.2.45, then why is the url getting routed to the login of the pfSense device? Perhaps there is another setting within pfSense that redirects internet IP to a specific address on my LAN network?
Update: Oh no! I put in port 25 for the webconfigurator and now I cannot get in. Gives me "Webpage might be temporarily down" and then Error 312 Unsafe port. Now what?
Update 2: Set pfSense device to factory defaults and did my usual settings. Now I'm back to stage 1 with the 501 DNS rebind attack error. How do I get my server to show up when I type in the URL instead of this error or the pfSense login???
-
From your results it looks like you are testing from inside your network. In order for this to work, using URLs, you need to enable nat reflection or split dns.
This doesn't test the port forward correctly though, you need to test it from a remote location or using a 3g modem etc.Steve
-
I have been using my 3G smart phone to see if I can reach the browser, and I get the same error. If I tell the pfSense device to ignore the DNS rebinding, then it brings me to the pfSense device login screen.
So it seems that the only issue I'm having is forwarding my LAN server to my static IP. It's just that my router's login takes priority over what I've forwarded? And I followed that guide, but no change.
Maybe I'm missing something and need a tutorial on how to setup a server behind pfSense? I'm trying to forward my server that has a LAN IP to my WAN IP via port 80. This is what I've been doing.
Update: Ok, so I bypassed the pfSense router and used a DIR-655 wireless router which was used strictly for wireless only, and IT WORKS!!! I am able to connect to my server on the internet via the virtual server settings in this router. BUT, the whole point is to have failover functionality (which I'm still having trouble with the 2nd ISP) and route the server through the pfSense device. So I don't know where this leaves me, except in a sour area. Gonna keep trying to route it through the pfSense device.
-
This is very weird. You shouldn't need to do anything more than this.
You shouldn't be able to reach the pfSense webGUI from WAN at all unless you open a firewall hole to it directly.
Your firewall rule only allows in traffic that has destination 'your server'. :-
Are you sure there's no way your phone is using wifi or has cached the page?
Try asking friend to access it to be sure.Steve
Edit: I can't see anything at saltcreekimaging.com from here in the UK. :(
-
You gotta use https:// before the url, otherwise it won't work. It's a server config thing. And the SSL certificate is out-of-date, but I'll update that later.
I was also able to get it to work with the DIR-655's port forwarding. So this is very wierd.
So right now I'm attempting to get it to work on the pfSense device.
Update: No good, doesn't work via pfSense. If only I could figure out how the DIR-655 does port forwarding and apply that to the pfSense device, then perhaps I can make it work. Anyone?
-
OK I see your site using https.
If it only works via https then you need to forward port 443 not 80.Steve
It's definitely running on the standard port, 443.
pfTop: Up State 1-27/27, View: default, Order: dest. addr PR D SRC DEST STATE AGE EXP PKTS BYTES tcp I 192.168.2.10:1545 50.193.66.117:443 9:9 85 21 24 8387 tcp O 192.168.2.10:1545 50.193.66.117:443 9:9 85 21 24 8387 -
Already tried that, otherwise how would I have gotten it to work on my DIR-655 router. Anyway, I've exhausted my brain too much to the point where I've given up on the pfSense device. Yesterday I was troubleshooting the device from 8am to 12pm! <- NOT A JOKE! :o I mean, why is it soo hard to port forward something? It took me like 5 seconds to configure + 20 seconds for the rule to take effect in my DIR-655 and the server was available to the internet.
After giving up, I left the configuration with a sour taste in my mouth. The comcast connection is hooked up to the DIR-655 while it being connected to only TWO devices in the office: the server and a workstation computer that frequently accesses files from it. The T1 line is connected to the pfSense device, which is connected to the switch that distributes the internet throughout the office. So not only is the rest of the office on the slower 1.5mbps T1 line, but also I haven't, or at this point cannot, hookup failover to the pfSense device. Very sad about this :(
Don't get me wrong, I love most of the pfSense's features like the fact that it's stable, runs on a 2.0+ghz dual core processor that can easily process multiple requests, nat translations, firewall attacks, multiple internet connections, failover, etc. with ease. The DNS of the T1 line gets translated instantly through the NAT, whereas the DIR-655 occasionally has slowdowns but still solid connection.
What I'm worried about is that in November the T1 internet will be cancelled and this will be a problem for the rest of the office + the fact that I haven't implemented failover. Not to mention the failover issues I'm having due to DNS not registering to the T1 line when I disconnect the Comcast line (this is talked about in another topic). Also, the DIR-655 was designed as a home device. I have no idea how reliable it will be over the next few months, especially since the server is connected to it. It only has a 200-300MHz processor onboard compared to pfSense device's 2.0+GHz Core 2 Duo!
I want pfSense's incredible processing power for the entire office! I want Failover to work properly! I want the server to get through to the internet! SIGH I just need two days rest before I tackle that device again. So if you guys have any suggestions onto what I should do, please tell me. I want to love my pfSense device, so PLEASE HELP ME?
-
I feel like I am not using pfSense's port forwarding properly. Even though I read the docs and everything, I must be failing at some setting. What I'm going to do is setup a pfSense device at home that I can play with and see what I'm doing wrong. Though I hope I don't run into issues for not using Intel NICs…ones I have at home are Realtek and Marvell. Also have an Nforce 2 sitting around.
I was wondering if I posted my issues in the wrong section. Even though I am just installing this for the first time, maybe I should've asked this issue in the NAT section?
Should I have used an Alias? I have no idea what it is and how to set it up. I mean I read the docs but when I tried to implement it, it said that I cannot use the pfSense's IP as an alias. Why is that?
Also, Virtual IPs wouldn't have made a difference, right?
-
This is turning into a nightmare! :(
It shouldn't be anywhere near this difficult.There is no need to use an alias, they are only there to make it easier to use a group of addresses in a firewall/forwarding rule.
Virtual IPs are not necessary in this instance either. You would only use this if you have multiple public IPs on the same interface.
The way to tackle almost any problem like this is to take it one step at a time. After you make any change verify that the change has actually taken place and that it is actually doing something.
If I were trying to solve this I would be looking at the logs whilst I tried to connect from the outside.
I'm not sure if you ever tried chpalmers suggestion but that should be your next step. If you don't see anything in the firewall logs then either packets are not reaching the firewall at all or packets are being passed by the rule associated with the port forward. By enabling logging on that rule you will be able to clearly see that the port forward and firewall rules are working (or not working).Steve
-
Agree with Stephen, One Step at time…
According to your other posts, you are trying to get multiple things at the same time (if i don't get wrong).
Having issues with DNS server settings with 2 ISPs (Failover issues): http://forum.pfsense.org/index.php/topic,49077.msg260330.html#msg260330
Newbie to Split Tunneling: http://forum.pfsense.org/index.php/topic,49161.msg260327.html#msg260327
-
Yes I am, ptt. But the most important issue is this one. Next is the VPN thing. Last is failover as long as Comcast has no outage :) Hence the "HEEELP!" used here ;D
Ok, after all the brain overloading I've experienced I decided to try again. This time I enabled logging for the firewall rule, which was automatically created when I port forwarded the port. Strange thing is that the firewall logs do show the IP of the computer that I used the URL on, which was on an outside internet line. In fact the logs show green arrows next to it, meaning they are passing, right? So why is my server still not showing up? Is it like somehow whatever the server throws out as a reply is not being sent back through the same WAN interface? Do I need to make another rule or something that redirects the replies towards the WAN? And if so, how do I apply Failover in this situation?
Somewhere in the docs I think I read that pfSense blocks all communication from the outside world, so maybe I need to set two rules per port for bi-directional communication?
BTW, when I changed the default port of 80 to 25 for the webgui I could no longer get in, even though I typed xxx.xx.xx.xxx:25 . Perhaps 25 is not a good port number?
-
I just browsed to https://saltcreekimaging.com and got to your site.
EDIT: Have you out the d-link back in?
-
Port 25 is email and there could be conflict. I would go either 8080 or 8443 to make it a little easier. Is your server using pfsense as its gateway? Does it have a live internet ip? is the website using a live IP in its html/php/asp code? I would suggest traceroutes and tcpdumps from the server to see what is going on.
-
Yes, the d-link is currently the one running the show. It's a great router and all because it can handle a huuge load, but it's no professional router. That's why I only bought it for wireless only. That's why you're able to reach the site. :-\
Right now it's not going through the pfSense device. Right now it's going through the T1 static IP, which is being used by the rest of the office. The webserver doesn't have a special configuration file like that: it's simply setup with a LAN IP.
So my question still remains: Just as I port forwarded WAN to LAN, do I need to do the same for LAN to WAN? I thought that was what NAT reflection did?
-
NAT reflection is for internal clients to access internal servers using external IPs. If the server is not using pfSense as its gateway, then the traffic is going to be split and this will not work. You do not have to setup a port forward from LAN to WAN as that should be handled by states (so long as the pfSense is used as the gateway for the return traffic).
-
The only reason the server isn't using pfSense as the gateway is because it didn't work the first few times and because I needed the server online I was forced to use the D-Link. Otherwise I want to setup the pfSense device as the gateway. This is my goal…just been a failing one.
This may sound strange, but I am using a different LAN IP range from default, aka 172.20.2.x . I'm starting to wonder if this IP range is causing port forward issues on pfSense. Yeah, the rest of you will say that's not the problem, but it would be nice if someone on the forums could test this out for me by setting their LAN IP range to what I have and then see if their port forwarding still works. I can't because I cannot change the IP of the server myself (I have to call the support guys to come by in person to change it, and all this for a test.)
Otherwise, is there something I can quickly setup on my Laptop to serve as a dummy server and then I can test to see if it works on the default or 172 IP range?
-
172.20.2.x is in the IPv4 private address space so it should work. Predictable response!
You can use anything with a web interface or any of many lightweight webservers for testing.
Steve
