[SOLVED] Need HEEELP! My server cannot be seen by the internet!
-
This is very weird. You shouldn't need to do anything more than this.
You shouldn't be able to reach the pfSense webGUI from WAN at all unless you open a firewall hole to it directly.
Your firewall rule only allows in traffic that has destination 'your server'. :-
Are you sure there's no way your phone is using wifi or has cached the page?
Try asking friend to access it to be sure.Steve
Edit: I can't see anything at saltcreekimaging.com from here in the UK. :(
-
You gotta use https:// before the url, otherwise it won't work. It's a server config thing. And the SSL certificate is out-of-date, but I'll update that later.
I was also able to get it to work with the DIR-655's port forwarding. So this is very wierd.
So right now I'm attempting to get it to work on the pfSense device.
Update: No good, doesn't work via pfSense. If only I could figure out how the DIR-655 does port forwarding and apply that to the pfSense device, then perhaps I can make it work. Anyone?
-
OK I see your site using https.
If it only works via https then you need to forward port 443 not 80.Steve
It's definitely running on the standard port, 443.
pfTop: Up State 1-27/27, View: default, Order: dest. addr PR D SRC DEST STATE AGE EXP PKTS BYTES tcp I 192.168.2.10:1545 50.193.66.117:443 9:9 85 21 24 8387 tcp O 192.168.2.10:1545 50.193.66.117:443 9:9 85 21 24 8387 -
Already tried that, otherwise how would I have gotten it to work on my DIR-655 router. Anyway, I've exhausted my brain too much to the point where I've given up on the pfSense device. Yesterday I was troubleshooting the device from 8am to 12pm! <- NOT A JOKE! :o I mean, why is it soo hard to port forward something? It took me like 5 seconds to configure + 20 seconds for the rule to take effect in my DIR-655 and the server was available to the internet.
After giving up, I left the configuration with a sour taste in my mouth. The comcast connection is hooked up to the DIR-655 while it being connected to only TWO devices in the office: the server and a workstation computer that frequently accesses files from it. The T1 line is connected to the pfSense device, which is connected to the switch that distributes the internet throughout the office. So not only is the rest of the office on the slower 1.5mbps T1 line, but also I haven't, or at this point cannot, hookup failover to the pfSense device. Very sad about this :(
Don't get me wrong, I love most of the pfSense's features like the fact that it's stable, runs on a 2.0+ghz dual core processor that can easily process multiple requests, nat translations, firewall attacks, multiple internet connections, failover, etc. with ease. The DNS of the T1 line gets translated instantly through the NAT, whereas the DIR-655 occasionally has slowdowns but still solid connection.
What I'm worried about is that in November the T1 internet will be cancelled and this will be a problem for the rest of the office + the fact that I haven't implemented failover. Not to mention the failover issues I'm having due to DNS not registering to the T1 line when I disconnect the Comcast line (this is talked about in another topic). Also, the DIR-655 was designed as a home device. I have no idea how reliable it will be over the next few months, especially since the server is connected to it. It only has a 200-300MHz processor onboard compared to pfSense device's 2.0+GHz Core 2 Duo!
I want pfSense's incredible processing power for the entire office! I want Failover to work properly! I want the server to get through to the internet! SIGH I just need two days rest before I tackle that device again. So if you guys have any suggestions onto what I should do, please tell me. I want to love my pfSense device, so PLEASE HELP ME?
-
I feel like I am not using pfSense's port forwarding properly. Even though I read the docs and everything, I must be failing at some setting. What I'm going to do is setup a pfSense device at home that I can play with and see what I'm doing wrong. Though I hope I don't run into issues for not using Intel NICs…ones I have at home are Realtek and Marvell. Also have an Nforce 2 sitting around.
I was wondering if I posted my issues in the wrong section. Even though I am just installing this for the first time, maybe I should've asked this issue in the NAT section?
Should I have used an Alias? I have no idea what it is and how to set it up. I mean I read the docs but when I tried to implement it, it said that I cannot use the pfSense's IP as an alias. Why is that?
Also, Virtual IPs wouldn't have made a difference, right?
-
This is turning into a nightmare! :(
It shouldn't be anywhere near this difficult.There is no need to use an alias, they are only there to make it easier to use a group of addresses in a firewall/forwarding rule.
Virtual IPs are not necessary in this instance either. You would only use this if you have multiple public IPs on the same interface.
The way to tackle almost any problem like this is to take it one step at a time. After you make any change verify that the change has actually taken place and that it is actually doing something.
If I were trying to solve this I would be looking at the logs whilst I tried to connect from the outside.
I'm not sure if you ever tried chpalmers suggestion but that should be your next step. If you don't see anything in the firewall logs then either packets are not reaching the firewall at all or packets are being passed by the rule associated with the port forward. By enabling logging on that rule you will be able to clearly see that the port forward and firewall rules are working (or not working).Steve
-
Agree with Stephen, One Step at time…
According to your other posts, you are trying to get multiple things at the same time (if i don't get wrong).
Having issues with DNS server settings with 2 ISPs (Failover issues): http://forum.pfsense.org/index.php/topic,49077.msg260330.html#msg260330
Newbie to Split Tunneling: http://forum.pfsense.org/index.php/topic,49161.msg260327.html#msg260327
-
Yes I am, ptt. But the most important issue is this one. Next is the VPN thing. Last is failover as long as Comcast has no outage :) Hence the "HEEELP!" used here ;D
Ok, after all the brain overloading I've experienced I decided to try again. This time I enabled logging for the firewall rule, which was automatically created when I port forwarded the port. Strange thing is that the firewall logs do show the IP of the computer that I used the URL on, which was on an outside internet line. In fact the logs show green arrows next to it, meaning they are passing, right? So why is my server still not showing up? Is it like somehow whatever the server throws out as a reply is not being sent back through the same WAN interface? Do I need to make another rule or something that redirects the replies towards the WAN? And if so, how do I apply Failover in this situation?
Somewhere in the docs I think I read that pfSense blocks all communication from the outside world, so maybe I need to set two rules per port for bi-directional communication?
BTW, when I changed the default port of 80 to 25 for the webgui I could no longer get in, even though I typed xxx.xx.xx.xxx:25 . Perhaps 25 is not a good port number?
-
I just browsed to https://saltcreekimaging.com and got to your site.
EDIT: Have you out the d-link back in?
-
Port 25 is email and there could be conflict. I would go either 8080 or 8443 to make it a little easier. Is your server using pfsense as its gateway? Does it have a live internet ip? is the website using a live IP in its html/php/asp code? I would suggest traceroutes and tcpdumps from the server to see what is going on.
-
Yes, the d-link is currently the one running the show. It's a great router and all because it can handle a huuge load, but it's no professional router. That's why I only bought it for wireless only. That's why you're able to reach the site. :-\
Right now it's not going through the pfSense device. Right now it's going through the T1 static IP, which is being used by the rest of the office. The webserver doesn't have a special configuration file like that: it's simply setup with a LAN IP.
So my question still remains: Just as I port forwarded WAN to LAN, do I need to do the same for LAN to WAN? I thought that was what NAT reflection did?
-
NAT reflection is for internal clients to access internal servers using external IPs. If the server is not using pfSense as its gateway, then the traffic is going to be split and this will not work. You do not have to setup a port forward from LAN to WAN as that should be handled by states (so long as the pfSense is used as the gateway for the return traffic).
-
The only reason the server isn't using pfSense as the gateway is because it didn't work the first few times and because I needed the server online I was forced to use the D-Link. Otherwise I want to setup the pfSense device as the gateway. This is my goal…just been a failing one.
This may sound strange, but I am using a different LAN IP range from default, aka 172.20.2.x . I'm starting to wonder if this IP range is causing port forward issues on pfSense. Yeah, the rest of you will say that's not the problem, but it would be nice if someone on the forums could test this out for me by setting their LAN IP range to what I have and then see if their port forwarding still works. I can't because I cannot change the IP of the server myself (I have to call the support guys to come by in person to change it, and all this for a test.)
Otherwise, is there something I can quickly setup on my Laptop to serve as a dummy server and then I can test to see if it works on the default or 172 IP range?
-
172.20.2.x is in the IPv4 private address space so it should work. Predictable response!
You can use anything with a web interface or any of many lightweight webservers for testing.
Steve
-
It is always good to test on something new to you. Since I have been using pfSense for while now, I can usually predict the way I need to work configs.
-
Well the reason I ask is what if it's a bug in pfSense where port forwarding doesn't work with that private address space? Because if port forwarding is supposed to be so simple and I was able to get the server work on my D-link within 30 seconds of setup, then perhaps this is worth testing? I just want confirmation that the 172 address space will work with port forwarding.
It's not like I don't trust pfSense, it's just that I'm out of ideas on what to do here.
Now I'm going to test different combinations like pfSense, webserver, T1 line. Then pfSense, temp server, T1 line. Then pfSense, temp server, Comcast, and so on. We'll see what happens.
-
Of course there isn't a bug that prevents any IP range from working on a port forward. Use packet capture to trace the traffic, make sure it hits WAN, then check LAN, see where the traffic goes and where it doesn't.
-
I don't think there is a bug. But if your WAN is behind a double NAT and you have a private IP on the WAN, then you are going to need to disable the block private IPs in the WAN settings. Other than that, it should work with any Internet route-able to private IP NAT. It is usually a routing problem where there are 2 routes to the internet and you are using the wrong to test with.
-
I am not behind a double NAT. The modem goes directly to the pfSense device and then is distributed on LAN via a switch. The DIR-655 setup is only temporary until I get pfSense to work with my web server.
Nope, still can't get it to work. Strange thing after I changed my webgui port to 8080, there is no longer any activity on the firewall. So I guess the requests aren't even reaching the firewall and that I haven't port forwarded properly? I've set desination as single host or alias in which I type in my gateway IP, destination port 443-443, redirect IP is the server IP, and redirect port is 443. This is correct, right?
-
Destination has to be your WAN address in the port forward rule, just use the drop down. Like you had it here:
http://img815.imageshack.us/img815/7746/pfsense2.jpgYou won't see any activity in the firewall logs if it's working correctly, by default the only thing that gets logged are packets that don't match any rules.
I can't recommend any more highly than I already have that you should enable logging on the WAN firewall rule associated with the port forward. That way you will be able to see in the logs in seconds whether the port forward is working. Do it! ;DSteve
