SSL cert or port forwarding problem.
-
So stop messing around with port forwards and fix your DNS. This works out-of-the-box so it's anyone's guess what you've changed.
-
What is the alternative to port forwards to direct a user to my webserver behind the firewall? I want to set up a DMZ at some point I just need to install a third NIC which I have on standby. Should I just be going down that route immediately?
-
You need DNS that works before you do anything.
-
I didn't change any DNS resolver settings except for the redirect. DNS is working. You probably didn't scroll down?
-
Non-authoritative answer:
Name: theurlfortheftp.com
Address: *... (my office IP)So that returns your PUBLIC IP??
"What is the alternative to port forwards to direct a user to my webserver behind the firewall?"
Users outside? Or users inside?
-
Hey John,
Thanks for your help. I may not have made everything I am doing totally clear and I apologize for that. My public IP is returned when doing the nslookup. I have been reading and cannot decide whether to use a DMZ or not as a samba server would be exposed along side it. I guess I am not familiar with common workplace infrastructure except theoretical models. I want users outside the network to access the webserver from the URL which leads to my public IP at this office. Users on the inside should be able to hit it from the public URL as well as that is necessary for people "generating links" for those outside the network. Right now this is possible using my old router. This whole experience has pushed me to buy a Networking A+ course so I guess that is a positive.
-
Your requests are timing out. That's broken DNS. I don't know how you can expect anything to work.
-
I am with derelict here, if you have to query for something multiple times before you get an answer you have a serious problem..
As to "as a samba server would be exposed along side it." Your not going to expose samba to the public internet??? Your just saying the web server needs to talk to this samba box??
Here is the thing, allowing external access to your web server (httpd) is nothing more than a simple port forward of 80 and 443 if you want ssl. As to if that httpd box is on your lan segment or another segment (firewall segment or dmz) is up to you.. To be honest that has little to do with accessing it from the outside and using split dns for your users locally to access it using the same fqdn..
So if www.myurlforourftphttpfileserver.com resolves on the public internet to your public IP.. Then just have your local dns resolve that to your private IP there you go local users using your local dns point to the local IP.. If you have put that IP on its own firewalled segment from your lan, then you would have to allow that traffic between your lan and "dmz" segment in pfsense.
Then just forward 80,443, 21 to this server or if your using ftps ftpes the appropriate ports for that.. You do understand that running a ftp server behind nat is problematic if you do not fully understand the ftp protocol. Is your ftp server going to support active/passive or just active? Keep in mind there is no helper/proxy for pfsense any more.. So you have to forward the passive ports your ftp server would be using. Even if there was helper still the use of ftps/ftpes encrypted control channel prevents any sort of helper/proxy from changing private IP to public and or opening the appropriate ports in the firewall that are being used int he port/pasv command.
To be honest I would get http/https working first via your port forward.. See the port forwarding doc, then play with ftp after you have read and understand how the protocol works with control and data channels and active vs passive. To be honest ftp even ftps or es should be avoided and just use sftp or even just http/https for file transfers..
-
Thanks John,
I don't understand why else the redirect wouldn't work unless I'm plugging in the wrong values. DNS seems to be working because my domain doesn't include the www. as it is registered as a domain. I have those ports forwarded as well as a passive range for my Crushftp server. I don't want the whole machine exposed so port forwarding seemed the best way to go. The port forwards are working when accessing the site remotely but not locally is the best way to describe my issue. I believe when I obscured my IP I confused the whole issue.
-
"The port forwards are working when accessing the site remotely but not locally is the best way to describe my issue"
What part do you not understand about split dns?????
When your your public internet, you get your public IP when you look up yourdomain.tld lets say 1.2.3.4, when your on your network and you lookup yourdomain.tld you get 192.168.1.101
What does port forwarding have to do with that??? NOTHING!!!
-
I don't have a domain controller. I don't have a domain set on the router either.
-
When you have connections from the outside in you need a port forward.
When connections are coming from an inside host to an inside address, you do not need a port forward.
Configure your DNS so outside users get the outside address and inside users get the inside address.
That's why I have been harping on your broken DNS. You have a DNS problem, not a port forward problem. Just STFU about port forwards and fix your DNS.
-
How I fix DNS
-
What are your settings in:
System > General > DNS Servers
Services > DNS Forwarder
Services > DNS Resolver
Services > DHCP Server On the tab for your inside hosts, what are the DNS Servers
