Comcast - One Dynamic IP - Five Servers
-
You missed the point being made about having an IP address that belongs to a well defined group comprising residential cable, dialup, and DSL IPs.
One such list is the DUL http://www.sorbs.net/delisting/dul.shtml
Many independent mail server operators and ISP mail servers routinely block such IPs on their mail servers.
If you find your mail being rejected, that is a likely reason. It has nothing to do with the content of the mail being spam.
It has everything to do with having an IP address owned by an ISP that by policy prohibits running servers on their residential connections and has thus had those addressees included in such blacklists.
-
Thanks gderf. I will investigate that one.
Remember though, I chose my email server as an example. I can't get my web server to serve up pages either.
Comcast may be my problem eventually but I can't even get a simple request for a web page to work.
Still, I will check with comcast.
-
Spoke with Comcast. There are no restrictions regarding using an email server or any other server or service.
-
My comment wasn't related to your general server connectivity problems. It was solely limited to what can happen to direct MX email leaving an IP address belonging to such a blacklist.
From a connectivity standpoint, in my area, Comcast has blocked all outbound IPv4 traffic to TCP port 25. I do not know if inbound TCP port 25 traffic is blocked or not, but that really doesn't matter much if outbound is blocked. Not a big swinger yet, but IPv6 outbound to TCP port 25 still works. I suspect this is an oversight and will eventually be closed off as well.
For a list of Comcast residential service blocked ports see:
http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
-
Spoke with Comcast. There are no restrictions regarding using an email server or any other server or service.
If you are on Comcast residential service, then the person you spoke to is completely misinformed. It is their policy to not allow email servers on residential accounts and this has been recently become enforced via technical means. You may be able to obtain an exemption, but you have to ask for this.
You can verify if outbound TCP port 25 blocking is in effect for you by telnetting to any MX host on port 25.
Telnetting to one of Comcast's will yield the following or similar banner if blocking is in effect:
554 omta15.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com
/help-and-support/internet/email-client-programs-with-xfinity-email/Telnetting elsewhere yields a hung connection unless you have IPv6 enabled and the server you are trying to connect to does also.
-
Are you on comcast home account or business connection.
Lets forget the email portion for a bit, so your saying you can not do a simple nat? Its like 1 click, you create nat to the port and IP you want on your lan. It creates the inbound rule for you.
Are you saying this is not working - or are you trying to base your inbound on host headers, ie your public IP lets call it 1.2.3.4 points to www.domainA.tld and www.domainB.tld also points to 1.2.3.4
You want the user if going to www.domainA.tld to be sent to 192.168.1.101 on port 80, and if going to www.domainB.tld to go to 192.168.1.102 ?
Or your saying you can not get http inbound at all - so I go to 1.2.3.4 from outside in my browser and you have nat to for http to go to 192.168.1.103 – this is not working? How are you testing it, from a box on 192.168.1.x going to 1.2.3.4 or from outside say 6.7.8.9 going to 1.2.3.4??
I would say verify you can get simple http forward working first before you play with a reverse proxy setup. Which is the only way your going to be able to make inbound go to different private ips based up the fqdn used to access your public IP.
What is pfsense connected to on its wan? A modem or some gateway device? So your IP on pfsense wan is public!! not 192.168.x.x or 172.16-31.x.x or 10.x.x.x?
-
Thanks to all. Read your links. Looks like port 25 and 110 will be an issue. I'll deal with that.
I am able to port forward with the NAT to ONE server. But that is not going to work when I use several servers that listen on the same port. That is the crux of my problem.
Looks like a revers proxy will know how to sort out the traffic and rout it based on the header info in the packets.
So, as this is all I need, which would serve my purpose best? Varnish, Squid, Apache, or a different package?
I have one web server that hosts skygizmo.com. I have a second that hosts WhatEver.com. One is at LAN 10.0.0.10. The other is at LAN 10.0.0.11.
What is the best way to get requests to go to the right server when I have only one public ip?
Ignore email example. I though it was a simple thing but email is not going to be, maybe. Just focus on dealing with the how one public ip can be routed the right server behind my firewall.
-
I have switched to Comcast business and obtained 5 static ips.
Thanks to all for help. I'll ask here first what Comcast policies are before I ask Comcast!!!!!
Thanks again to all for putting up with my ignorance. pfSense is awesome and so is this forum.
JCU
-
If you have Comcast Business Class Service there is no restriction on running servers and port 25 is not blocked. There are still some closed ports though,
http://businesshelp.comcast.com/help-and-support/internet/ports-blocked-by-business-class-internet/
-
Thanks. I'll check out the link.