Port 80 open but can't connect.
-
I have a web server that is under a DMZ, I'm trying to allow connections to it through my public IP but I am not able to connect to it from outside my network (I have reflection enabled for it so I can connect to it locally just fine). Port 80 is open but for some reason once it reaches my firewall nothing works at all, as far as I can tell I have the portforward and rules set up correctly.
I also have the firewall on the server set to allow everything.
Here is the result of doing sudo iptables -L on the server:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
How I want it set up right now is whenever the WAN receives a request with port 80 it should send that request to the internal IP address of the web server on the DMZ. The DMZ should also not be able to access the local networks LAN and WAP but they should have access to the DMZ.
I have 4 interfaces, WAN, LAN, WAP, and DMZ.
Here are my configurations for the port forward as well as rules for both the WAN and DMZ.
WAN
It is set to block private and bogon networks.| Action | ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
| Pass | | IPv4 TCP | * | * | ubuntu_server | 80 (HTTP) | * | none | | NAT WAN to DMZ GitLab |DMZ
| Action | ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
| Pass | | IPv4 * | DMZ net | * | ! LAN net | * | * | none | | DMZ to internet and block to LAN |
| Block | | IPv4 * | * | * | * | * | * | none | | Block all |Port Forward
It is set to create a rule automatically. The only rule I have for WAN aside from the block private and bogon networks.| If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports | Description |
| WAN | TCP | * | * | WAN address | 80 (HTTP) | ubuntu_server | 80 (HTTP) | WAN to DMZ GitLab |Here is a traceroute from centralops.net:
hop rtt rtt rtt ip address fully qualified domain name 1 147 0 31 208.101.16.73 208.101.16.73-static.reverse.softlayer.com 2 0 0 0 66.228.118.153 ae11.dar01.sr01.dal01.networklayer.com 3 0 0 0 173.192.18.210 ae6.bbr01.eq01.dal03.networklayer.com 4 0 3 4 75.149.228.33 be-101-pe01.1950stemmons.tx.ibone.comcast.net 5 3 3 3 68.86.88.197 pos-3-0-0-0-cr01.dallas.tx.ibone.comcast.net 6 15 16 15 68.86.85.45 he-2-3-0-0-cr01.sacramento.ca.ibone.comcast.net 7 29 27 27 68.86.90.238 pos-0-10-0-0-ar01.sfsutro.ca.sfba.comcast.net 8 27 27 27 162.151.39.198 9 27 27 27 ***.***.***.*** te-6-0-acr03.***.***.***.comcast.net 10 * * * 11 * * * 12 * * * 13 * * * Trace aborted
-
Are you behind a nat? Does your isp block port 80?
So pfsense wan IP is public? Not a private behind a router? Does the traffic get to you - simple packet capture.. Go to canyouseeme.org and does pfsense see the traffic.. example
23:46:34.157124 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
23:46:35.153073 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
23:46:37.157118 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
23:46:41.161097 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0 -
My ISP does not block port 80, I've had a web server working perfectly fine a while ago with a linksys router with the same ISP. And canyouseeme.org does say my ISP is not blocking port 80.
pfsense is the only router I use aside from a linksys router to provide wireless (it does nothing else), and that is on the WAP interface.
So traffic should just go from the ISP->modem->pfsense->LAN.
Heres the packet capture from canyouseeme.org:
23:36:41.988486 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0 23:36:42.059252 IP 107.20.89.142.80 > ***.***.***.***.24483: tcp 0 23:36:42.060781 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0 23:36:42.064901 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 576 23:36:42.138619 IP 107.20.89.142.42037 > ***.***.***.***.80: tcp 0 23:36:42.138778 IP ***.***.***.***.80 > 107.20.89.142.42037: tcp 0 23:36:42.139359 IP 107.20.89.142.80 > ***.***.***.***.24483: tcp 0 23:36:42.208579 IP 107.20.89.142.42037 > ***.***.***.***.80: tcp 0 23:36:42.208659 IP 107.20.89.142.42037 > ***.***.***.***.80: tcp 0 23:36:42.208791 IP ***.***.***.***.80 > 107.20.89.142.42037: tcp 0 23:36:42.210440 IP 107.20.89.142.80 > ***.***.***.***.24483: tcp 1460 23:36:42.210554 IP 107.20.89.142.80 > ***.***.***.***.24483: tcp 1193 23:36:42.210563 IP 107.20.89.142.80 > ***.***.***.***.24483: tcp 0 23:36:42.212446 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0 23:36:42.215945 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0 23:36:42.216814 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0 23:36:42.277628 IP 107.20.89.142.42037 > ***.***.***.***.80: tcp 0
-
Well now sniff on the lan side do you see the traffic?
Port forwarding is really click done - that is all there is too it.. if not working you need to figure out where it is not working.. If you see the packets leave the lan for your webserver.. Do you see an answer?
Your using an alias to resolve your server - maybe that did not resolve correctly? I never understand why not just use the freaking IP so your sure.. Aliases are good for when you have multiple items, a listing, etc. But for sending to your server? So sniff - do you see the traffic? If not change from alias to actual IP of your webserver.
-
Well, everything is working now. Not sure what was going on, it was probably just my noobiness haha.
The alias was just to help me remember what that IP is going to.
Thanks for the help johnpoz.