CentOS cant' get out, everything else can
-
CentOS is a fairly major release used for many many many servers sitting behind pfsense.
I'm pretty sure if it were a problem with pfsense discriminating against centos there would be alot of loud crying from lots of people.
-
Can you post screen shots of your firewall rules and the other firewall configurations you made?
If you have only one static public IP address, you don't need 1:1 NAT. Simple port forwarding should do the trick, no need to tweak outbound NAT rules. However, screen shots go a long way.
-
I wasn't thinking it was being singled out, I was providing OS info since there are more things that are possible to configure in linux than Windows, there is more opportunity for configuration error in the CentOS config, but more importantly the reason I am asking here is because I don't know if setting up the NAT 1:1, port forwarding and so on to this server has affected it's ability to exit the network.
I didn't know if I need to setup specific rules now to allow this server out now that it is setup to accept incoming traffic, which could be setup by default as a security measure for reasons I am not familiar with at this time.
I have 5 public IP addresses to forward to several internal servers, and to allow the same server to host multiple services with conflicting ports.
-
The x.x.5.242 is outside of your x.x.5.227/29 range. Is this the correct range that you defined in the WAN interface?
In your NAT/Firewall rules choose one external IP address and map a single port, l Ike 80, to. Your centos server. Then you can see if port 80 is coming into the server from the firewall. You have a ton of ports open that don't need to be open. More open ports = more open attack vectors. Something to consider.
I usually start simple. Clear everything out or factory reset. Open port 80 from the NAT and use WAN address as the destination and let it create a FW rule automatically for you. See if that works. That should be your baseline. Then create one virtual IP. Create a NAT using the virtual IP address as the destination for port 80 again. See if that works. The rules that are created should serve as a template for each additional port you need to open and each virtual ip you create.
Also. Erich that you've got your WAN interface configured properly.
-
Thanks Tim,
I just got the new IPs on Monday and so the XX.242 address was what I had been using in my DNS settings for the domains coming here. I switched all the domains to point to the XX.227 address today and should be able to abandon that setting soon - if not now.The port forwarding is working properly, I can access the server from my cell phone on 4G, I just can't get out. I can reset the router to factory default this evening after all the employees leave if I can't get it working before that.
-
Well, that's half the battle. Backup your settings before you reset so you don't have to reprogram everything if you don't have to.
If you go with a factory reset and configure your LAN/WAN for basic connectivity and every other device except the centos box can get out, then you have an issue on your centos box, imho. Check with a trace route and the firewall logs to see where traffic is getting stuck between the centos box and pfsense. If you have a smart switch, even better.
Best of luck, hope it's a simple resolution.
-
I made a little progress. I switched the machine from a static IP to DHCP and it worked. I rebooted to clear out any old info, set it back to static and it still cant' get out. Is there anything on the pfSense that handles the traffic differently if it is set statically? The DHCP address was 192.168.1.156 so I know there wasn't any firewall / forwarding rules being applied.
-
Shouldn't be. There might be some voodoo in the CentOS box that is wonky.
Possibly a subnet/DNS/anything else related issue with the network settings on that box. Any luck with a trace route or weird stuff not he pfSense FW logs?
-
I cheated to fix this, sorry guys. I just plugged the 2nd ethernet port into the switch and set it to DHCP.
-
I know this isn't a Centos forum, but have you checked to see if your SELinux settings might be getting in the way? The file is located here: /etc/sysconfig/selinux. If the SELINUXTYPE is set to 'enforcing', try changing this to 'permissive' or 'disabled' if you're feeling confident. SELinux has tripped me up many a time when trying to make system changes.
-
Yeah - Often using DHCP and just telling pfsense to allocate a certain IP to a certain MAC is easiest.
Its pretty easy to screw up static IP with centos.