[SOLVED] Need HEEELP! My server cannot be seen by the internet!
-
Already tried that, otherwise how would I have gotten it to work on my DIR-655 router. Anyway, I've exhausted my brain too much to the point where I've given up on the pfSense device. Yesterday I was troubleshooting the device from 8am to 12pm! <- NOT A JOKE! :o I mean, why is it soo hard to port forward something? It took me like 5 seconds to configure + 20 seconds for the rule to take effect in my DIR-655 and the server was available to the internet.
After giving up, I left the configuration with a sour taste in my mouth. The comcast connection is hooked up to the DIR-655 while it being connected to only TWO devices in the office: the server and a workstation computer that frequently accesses files from it. The T1 line is connected to the pfSense device, which is connected to the switch that distributes the internet throughout the office. So not only is the rest of the office on the slower 1.5mbps T1 line, but also I haven't, or at this point cannot, hookup failover to the pfSense device. Very sad about this :(
Don't get me wrong, I love most of the pfSense's features like the fact that it's stable, runs on a 2.0+ghz dual core processor that can easily process multiple requests, nat translations, firewall attacks, multiple internet connections, failover, etc. with ease. The DNS of the T1 line gets translated instantly through the NAT, whereas the DIR-655 occasionally has slowdowns but still solid connection.
What I'm worried about is that in November the T1 internet will be cancelled and this will be a problem for the rest of the office + the fact that I haven't implemented failover. Not to mention the failover issues I'm having due to DNS not registering to the T1 line when I disconnect the Comcast line (this is talked about in another topic). Also, the DIR-655 was designed as a home device. I have no idea how reliable it will be over the next few months, especially since the server is connected to it. It only has a 200-300MHz processor onboard compared to pfSense device's 2.0+GHz Core 2 Duo!
I want pfSense's incredible processing power for the entire office! I want Failover to work properly! I want the server to get through to the internet! SIGH I just need two days rest before I tackle that device again. So if you guys have any suggestions onto what I should do, please tell me. I want to love my pfSense device, so PLEASE HELP ME?
-
I feel like I am not using pfSense's port forwarding properly. Even though I read the docs and everything, I must be failing at some setting. What I'm going to do is setup a pfSense device at home that I can play with and see what I'm doing wrong. Though I hope I don't run into issues for not using Intel NICs…ones I have at home are Realtek and Marvell. Also have an Nforce 2 sitting around.
I was wondering if I posted my issues in the wrong section. Even though I am just installing this for the first time, maybe I should've asked this issue in the NAT section?
Should I have used an Alias? I have no idea what it is and how to set it up. I mean I read the docs but when I tried to implement it, it said that I cannot use the pfSense's IP as an alias. Why is that?
Also, Virtual IPs wouldn't have made a difference, right?
-
This is turning into a nightmare! :(
It shouldn't be anywhere near this difficult.There is no need to use an alias, they are only there to make it easier to use a group of addresses in a firewall/forwarding rule.
Virtual IPs are not necessary in this instance either. You would only use this if you have multiple public IPs on the same interface.
The way to tackle almost any problem like this is to take it one step at a time. After you make any change verify that the change has actually taken place and that it is actually doing something.
If I were trying to solve this I would be looking at the logs whilst I tried to connect from the outside.
I'm not sure if you ever tried chpalmers suggestion but that should be your next step. If you don't see anything in the firewall logs then either packets are not reaching the firewall at all or packets are being passed by the rule associated with the port forward. By enabling logging on that rule you will be able to clearly see that the port forward and firewall rules are working (or not working).Steve
-
Agree with Stephen, One Step at time…
According to your other posts, you are trying to get multiple things at the same time (if i don't get wrong).
Having issues with DNS server settings with 2 ISPs (Failover issues): http://forum.pfsense.org/index.php/topic,49077.msg260330.html#msg260330
Newbie to Split Tunneling: http://forum.pfsense.org/index.php/topic,49161.msg260327.html#msg260327
-
Yes I am, ptt. But the most important issue is this one. Next is the VPN thing. Last is failover as long as Comcast has no outage :) Hence the "HEEELP!" used here ;D
Ok, after all the brain overloading I've experienced I decided to try again. This time I enabled logging for the firewall rule, which was automatically created when I port forwarded the port. Strange thing is that the firewall logs do show the IP of the computer that I used the URL on, which was on an outside internet line. In fact the logs show green arrows next to it, meaning they are passing, right? So why is my server still not showing up? Is it like somehow whatever the server throws out as a reply is not being sent back through the same WAN interface? Do I need to make another rule or something that redirects the replies towards the WAN? And if so, how do I apply Failover in this situation?
Somewhere in the docs I think I read that pfSense blocks all communication from the outside world, so maybe I need to set two rules per port for bi-directional communication?
BTW, when I changed the default port of 80 to 25 for the webgui I could no longer get in, even though I typed xxx.xx.xx.xxx:25 . Perhaps 25 is not a good port number?
-
I just browsed to https://saltcreekimaging.com and got to your site.
EDIT: Have you out the d-link back in?
-
Port 25 is email and there could be conflict. I would go either 8080 or 8443 to make it a little easier. Is your server using pfsense as its gateway? Does it have a live internet ip? is the website using a live IP in its html/php/asp code? I would suggest traceroutes and tcpdumps from the server to see what is going on.
-
Yes, the d-link is currently the one running the show. It's a great router and all because it can handle a huuge load, but it's no professional router. That's why I only bought it for wireless only. That's why you're able to reach the site. :-\
Right now it's not going through the pfSense device. Right now it's going through the T1 static IP, which is being used by the rest of the office. The webserver doesn't have a special configuration file like that: it's simply setup with a LAN IP.
So my question still remains: Just as I port forwarded WAN to LAN, do I need to do the same for LAN to WAN? I thought that was what NAT reflection did?
-
NAT reflection is for internal clients to access internal servers using external IPs. If the server is not using pfSense as its gateway, then the traffic is going to be split and this will not work. You do not have to setup a port forward from LAN to WAN as that should be handled by states (so long as the pfSense is used as the gateway for the return traffic).
-
The only reason the server isn't using pfSense as the gateway is because it didn't work the first few times and because I needed the server online I was forced to use the D-Link. Otherwise I want to setup the pfSense device as the gateway. This is my goal…just been a failing one.
This may sound strange, but I am using a different LAN IP range from default, aka 172.20.2.x . I'm starting to wonder if this IP range is causing port forward issues on pfSense. Yeah, the rest of you will say that's not the problem, but it would be nice if someone on the forums could test this out for me by setting their LAN IP range to what I have and then see if their port forwarding still works. I can't because I cannot change the IP of the server myself (I have to call the support guys to come by in person to change it, and all this for a test.)
Otherwise, is there something I can quickly setup on my Laptop to serve as a dummy server and then I can test to see if it works on the default or 172 IP range?
-
172.20.2.x is in the IPv4 private address space so it should work. Predictable response!
You can use anything with a web interface or any of many lightweight webservers for testing.
Steve
-
It is always good to test on something new to you. Since I have been using pfSense for while now, I can usually predict the way I need to work configs.
-
Well the reason I ask is what if it's a bug in pfSense where port forwarding doesn't work with that private address space? Because if port forwarding is supposed to be so simple and I was able to get the server work on my D-link within 30 seconds of setup, then perhaps this is worth testing? I just want confirmation that the 172 address space will work with port forwarding.
It's not like I don't trust pfSense, it's just that I'm out of ideas on what to do here.
Now I'm going to test different combinations like pfSense, webserver, T1 line. Then pfSense, temp server, T1 line. Then pfSense, temp server, Comcast, and so on. We'll see what happens.
-
Of course there isn't a bug that prevents any IP range from working on a port forward. Use packet capture to trace the traffic, make sure it hits WAN, then check LAN, see where the traffic goes and where it doesn't.
-
I don't think there is a bug. But if your WAN is behind a double NAT and you have a private IP on the WAN, then you are going to need to disable the block private IPs in the WAN settings. Other than that, it should work with any Internet route-able to private IP NAT. It is usually a routing problem where there are 2 routes to the internet and you are using the wrong to test with.
-
I am not behind a double NAT. The modem goes directly to the pfSense device and then is distributed on LAN via a switch. The DIR-655 setup is only temporary until I get pfSense to work with my web server.
Nope, still can't get it to work. Strange thing after I changed my webgui port to 8080, there is no longer any activity on the firewall. So I guess the requests aren't even reaching the firewall and that I haven't port forwarded properly? I've set desination as single host or alias in which I type in my gateway IP, destination port 443-443, redirect IP is the server IP, and redirect port is 443. This is correct, right?
-
Destination has to be your WAN address in the port forward rule, just use the drop down. Like you had it here:
http://img815.imageshack.us/img815/7746/pfsense2.jpgYou won't see any activity in the firewall logs if it's working correctly, by default the only thing that gets logged are packets that don't match any rules.
I can't recommend any more highly than I already have that you should enable logging on the WAN firewall rule associated with the port forward. That way you will be able to see in the logs in seconds whether the port forward is working. Do it! ;DSteve
-
I would check tcpdump also … turning on logging is good, tcpdump is more "real" time ... If the request is not even getting to the FW, then the problem exists outside of pfSense.
If on the WAN tcpdump, you don't see the traffic, contact the ISP or check your WAN settings again to make sure all is well there.
If the packets never get to pfSense, there is nothing you can do with pfSense NAT and firewall. Check tcpdumps at each NIC where the traffic should be going to see how it is transforming. This can also reveal where the break down is. -
Ok, so I ran into the wierdest problem today, the pfSense device would say links are up when I actually had the cables disconnected! This happens on some restarts while on other restarts it works fine. In fact, when I install pfSense it shows all 3 NICs as up, but later reports at the bottom of the screen which are actually up. You know, at the screen where it initially asks if you want to setup VLANS and then define your ports. So this could be a hardware issue. The to compound the weirdness, no matter what config I did and restarted the router, the other computers would say "connected" as if nothing got disconnected, until you actually tried going online.
So I brought the device home and have the entire office running through the DIR-655 :( . I don't like this because it's not professional and I just hope that router holds until I get this device running properly. I'm gonna run some tests at home to see if I can figure this thing out.
There's also another possibility: the switch. I have a Cisco 300 fully managed switch installed. Even though it's working now, it may have been acting slow or not communicating properly with the pfSense device. So quite a few things to consider.
This would so suck if it turned out to be a hardware rather than software fault. But as long as I can get things working, I'll be a happy camper :)
-
UPDATE:So I took the pfSense device home as I stated earlier and tested it at home. And guess what? It WORKS! ??? OMG, how easy it worked, it blew my mind :oMy setup at home was like this: Uverse router -> pfSense device -> 8 port Unmanaged switch -> Temp Server Comp
That's it. The Uverse router has the pfSense device configured as DMZplus. pfSense device has the same LAN IP range as the office, aka 172.xx.x.xxx . The temp server is my laptop running XAMPP with Wordpress.
ALL I DID was port forward 80 and BAM…instant website access!! After all the crap I was put through at the office and many, MANY hours spent, it works instantly at home?!? sigh
The differences with configuration are the following:- Uverse router forwards public IP, but configures as DHCP unlike the Comcast business modem which is Static configuration. Obviously the server is different as this is a Windows Wordpress website and the other is a Unix Server. Last but not least, the switch differs.
At this point I'm thinking that the Cisco 300 switch is the reason that the server didn't work the first time. Recently I found out that it has its own built-in DHCP configurator. Typically it's supposed to take the input of the device that sends out the DHCP signal and then configures the rest of the network. But if it doesn't receive the signal it can configure the network on its own. I mean I checked the IP of some of the DHCP PCs and they were in the right range. I just feel that if the pfSense device is working fine at home, then the only major thing that differs is the switch.
The one thing I haven't tried is directly connecting the server to the pfSense device, bypassing the switch. I'm gonna try that when I get a chance. Otherwise I still haven't tested the current configuration with port 443. I'll do that next. It could be something as simple as turning off DHCP on the Cisco 300 switch. And that's where things stand.
Update 2: Houston we're having problems again >:( . So once my home configuration was working, I left it alone and went to do some yard work. I thought I finally ruled out the pfSense device, but when I came back in after 30 minutes, dun dun dun, the website stopped working. At first it gave me a 504 gateway error. Then I noticed somehow the LAN IP changed on the laptop that did NOT go to sleep. It went from 172.xx.x.3 to 172.xx.x.12 . I'm like "Ok, I dunno why this happened but this should be a non issue as the actual server has a static IP". So I changed the firewall rule to change the IP address and I get a 502 gateway error. At this point no matter what I tried I cannot get the website to show up on the internet, but it is available on my local network. This is exactly the problem I had back in the office, I just reached it differently AND the website worked for a while. What the hell happened??? More frustration >:( :'(
Update 3:Ok, this is gonna sound totally weird. So no matter what I did to the configuration, nothing changed the problem. Then I accidently typed in the public IP address without the /wordpress (that's where the site is located) and it gave me an "access forbidden" error. This is what it's supposed to do. Then, when I added /wordpress again, it worked?!?!?!? It's like I had to "wake up" something (not the computer cause it's always on) by typing in the IP address alone and then the /wordpress to actually reach the site. What could cause that? Something in the pfSense device?
