[SOLVED] Need HEEELP! My server cannot be seen by the internet!
-
The only reason the server isn't using pfSense as the gateway is because it didn't work the first few times and because I needed the server online I was forced to use the D-Link. Otherwise I want to setup the pfSense device as the gateway. This is my goal…just been a failing one.
This may sound strange, but I am using a different LAN IP range from default, aka 172.20.2.x . I'm starting to wonder if this IP range is causing port forward issues on pfSense. Yeah, the rest of you will say that's not the problem, but it would be nice if someone on the forums could test this out for me by setting their LAN IP range to what I have and then see if their port forwarding still works. I can't because I cannot change the IP of the server myself (I have to call the support guys to come by in person to change it, and all this for a test.)
Otherwise, is there something I can quickly setup on my Laptop to serve as a dummy server and then I can test to see if it works on the default or 172 IP range?
-
172.20.2.x is in the IPv4 private address space so it should work. Predictable response!
You can use anything with a web interface or any of many lightweight webservers for testing.
Steve
-
It is always good to test on something new to you. Since I have been using pfSense for while now, I can usually predict the way I need to work configs.
-
Well the reason I ask is what if it's a bug in pfSense where port forwarding doesn't work with that private address space? Because if port forwarding is supposed to be so simple and I was able to get the server work on my D-link within 30 seconds of setup, then perhaps this is worth testing? I just want confirmation that the 172 address space will work with port forwarding.
It's not like I don't trust pfSense, it's just that I'm out of ideas on what to do here.
Now I'm going to test different combinations like pfSense, webserver, T1 line. Then pfSense, temp server, T1 line. Then pfSense, temp server, Comcast, and so on. We'll see what happens.
-
Of course there isn't a bug that prevents any IP range from working on a port forward. Use packet capture to trace the traffic, make sure it hits WAN, then check LAN, see where the traffic goes and where it doesn't.
-
I don't think there is a bug. But if your WAN is behind a double NAT and you have a private IP on the WAN, then you are going to need to disable the block private IPs in the WAN settings. Other than that, it should work with any Internet route-able to private IP NAT. It is usually a routing problem where there are 2 routes to the internet and you are using the wrong to test with.
-
I am not behind a double NAT. The modem goes directly to the pfSense device and then is distributed on LAN via a switch. The DIR-655 setup is only temporary until I get pfSense to work with my web server.
Nope, still can't get it to work. Strange thing after I changed my webgui port to 8080, there is no longer any activity on the firewall. So I guess the requests aren't even reaching the firewall and that I haven't port forwarded properly? I've set desination as single host or alias in which I type in my gateway IP, destination port 443-443, redirect IP is the server IP, and redirect port is 443. This is correct, right?
-
Destination has to be your WAN address in the port forward rule, just use the drop down. Like you had it here:
http://img815.imageshack.us/img815/7746/pfsense2.jpgYou won't see any activity in the firewall logs if it's working correctly, by default the only thing that gets logged are packets that don't match any rules.
I can't recommend any more highly than I already have that you should enable logging on the WAN firewall rule associated with the port forward. That way you will be able to see in the logs in seconds whether the port forward is working. Do it! ;DSteve
-
I would check tcpdump also … turning on logging is good, tcpdump is more "real" time ... If the request is not even getting to the FW, then the problem exists outside of pfSense.
If on the WAN tcpdump, you don't see the traffic, contact the ISP or check your WAN settings again to make sure all is well there.
If the packets never get to pfSense, there is nothing you can do with pfSense NAT and firewall. Check tcpdumps at each NIC where the traffic should be going to see how it is transforming. This can also reveal where the break down is. -
Ok, so I ran into the wierdest problem today, the pfSense device would say links are up when I actually had the cables disconnected! This happens on some restarts while on other restarts it works fine. In fact, when I install pfSense it shows all 3 NICs as up, but later reports at the bottom of the screen which are actually up. You know, at the screen where it initially asks if you want to setup VLANS and then define your ports. So this could be a hardware issue. The to compound the weirdness, no matter what config I did and restarted the router, the other computers would say "connected" as if nothing got disconnected, until you actually tried going online.
So I brought the device home and have the entire office running through the DIR-655 :( . I don't like this because it's not professional and I just hope that router holds until I get this device running properly. I'm gonna run some tests at home to see if I can figure this thing out.
There's also another possibility: the switch. I have a Cisco 300 fully managed switch installed. Even though it's working now, it may have been acting slow or not communicating properly with the pfSense device. So quite a few things to consider.
This would so suck if it turned out to be a hardware rather than software fault. But as long as I can get things working, I'll be a happy camper :)
-
UPDATE:So I took the pfSense device home as I stated earlier and tested it at home. And guess what? It WORKS! ??? OMG, how easy it worked, it blew my mind :oMy setup at home was like this: Uverse router -> pfSense device -> 8 port Unmanaged switch -> Temp Server Comp
That's it. The Uverse router has the pfSense device configured as DMZplus. pfSense device has the same LAN IP range as the office, aka 172.xx.x.xxx . The temp server is my laptop running XAMPP with Wordpress.
ALL I DID was port forward 80 and BAM…instant website access!! After all the crap I was put through at the office and many, MANY hours spent, it works instantly at home?!? sigh
The differences with configuration are the following:- Uverse router forwards public IP, but configures as DHCP unlike the Comcast business modem which is Static configuration. Obviously the server is different as this is a Windows Wordpress website and the other is a Unix Server. Last but not least, the switch differs.
At this point I'm thinking that the Cisco 300 switch is the reason that the server didn't work the first time. Recently I found out that it has its own built-in DHCP configurator. Typically it's supposed to take the input of the device that sends out the DHCP signal and then configures the rest of the network. But if it doesn't receive the signal it can configure the network on its own. I mean I checked the IP of some of the DHCP PCs and they were in the right range. I just feel that if the pfSense device is working fine at home, then the only major thing that differs is the switch.
The one thing I haven't tried is directly connecting the server to the pfSense device, bypassing the switch. I'm gonna try that when I get a chance. Otherwise I still haven't tested the current configuration with port 443. I'll do that next. It could be something as simple as turning off DHCP on the Cisco 300 switch. And that's where things stand.
Update 2: Houston we're having problems again >:( . So once my home configuration was working, I left it alone and went to do some yard work. I thought I finally ruled out the pfSense device, but when I came back in after 30 minutes, dun dun dun, the website stopped working. At first it gave me a 504 gateway error. Then I noticed somehow the LAN IP changed on the laptop that did NOT go to sleep. It went from 172.xx.x.3 to 172.xx.x.12 . I'm like "Ok, I dunno why this happened but this should be a non issue as the actual server has a static IP". So I changed the firewall rule to change the IP address and I get a 502 gateway error. At this point no matter what I tried I cannot get the website to show up on the internet, but it is available on my local network. This is exactly the problem I had back in the office, I just reached it differently AND the website worked for a while. What the hell happened??? More frustration >:( :'(
Update 3:Ok, this is gonna sound totally weird. So no matter what I did to the configuration, nothing changed the problem. Then I accidently typed in the public IP address without the /wordpress (that's where the site is located) and it gave me an "access forbidden" error. This is what it's supposed to do. Then, when I added /wordpress again, it worked?!?!?!? It's like I had to "wake up" something (not the computer cause it's always on) by typing in the IP address alone and then the /wordpress to actually reach the site. What could cause that? Something in the pfSense device?
-
I would not thing so, but when ever you change IPs for web servers, you have to readjust rule and NAT. So, I would change your laptop to static so you know it will not change and then go from there. Also, remember that you also have to UVerse modem/router in the way as well and that might have been the cause.
pfSense is in front of a few website (I know all mine are) and there is not a problem at all. -
Then, when I added /wordpress again, it worked?!?!?!? It's like I had to "wake up" something (not the computer cause it's always on) by typing in the IP address alone and then the /wordpress to actually reach the site. What could cause that? Something in the pfSense device?
I imagine what you are seeing there is an uncleared state in the state table or a delay while the arp table updates. Once the remaining stuff times out the new address is reachable.
Steve
-
Would not be a problem if it is statically assigned. Just saying.
-
Yeah, what both of you say are right. Because the IP was assigned by DHCP, when the IP changed on the laptop most likely there was an uncleared state. As long as the server has a static IP I should be fine.
I've tested the pfSense device long enough. I'm gonna try to reinstall it over the weekend and directly plug in the server into the NIC. We'll see if that works. If it does then I'll know that the DHCP of the switch is interfering rather than working with the pfSense device.
I do have a question about the IP range for the LAN: Typically I set the pfSense device to 172.20.2.1 and then the range to 172.20.2.2 to 172.20.2.254. But at home I had it set to 172.20.2.1 to 172.20.2.255 . Which is correct or does it not matter?
-
Typically you want to exclude static addresses from DHCP. So starting at .2 is fine. I would start at 100 myself to give you room for statics.
-
You would normally not include 255 in the range because that's the broadcast address for the subnet. In fact it's slightly surprising that you were allowed to use it.
http://en.wikipedia.org/wiki/IPv4#Addresses_ending_in_0_or_255
It shouldn't make any difference though since you weren't actually using that address.Steve
-
Yeah, that's what I thought, Stephen, but it gave me no error. Whether it's actually using it or not or perhaps pfSense auto-discludes that address is something I don't know.
Unfortunately they configured the server at .45 , and I dunno what other devices are configured in the double, or single digit IP range. That's why I gotta go full range with the configuration :-\
I'm at the office and gonna see what a direct server connection does. Fingers crossed ;)
-
Good luck, I'm sending you positive vibes from across the pond! :)
Steve
-
Update: And IT WORKS!!! OMG!! OMG!! Seriously?!? BWAHAHAHAHAHAHAHAA!!! :o ;D :D 8) :)
So it has to be that sparkly new switch I bought. I mean it works with the rest of the building, just not with the server. Or it could be that DHCP thing I was talking about earlier. Should've bought a cheap, unmanaged switch. Why did I buy the awesome full managed switch?? I thought I could use it for future uses, but it's like I don't even need it when I got pfSense = <3