Webgui and SSH listening on wrong ip

3zzz

@johnpoz:

What is the mask on our lan interface?

You have rules that make ZERO sense at all.. If your lan IP is 192.168.1.1 with a /24 bit mask what is the point of any rules allowing access to 192.168.1.anything??

You have 3 rules that say proxied access to printing??  edit machine

Those rules would never come into play..  Do you have some sort of bridge setup?

Some of the rules you see may have been from me experimenting trying to get this to work.  Other rules may be years old, I just leave well enough alone.
The isp router is in bridge mode if that's what you mean.

I modified my comment above to add more info, netmask 0xffffff00

3zzz

@johnpoz:

You have 3 rules that say proxied access to printing??

fwiw "proxied" is an alias to several LAN addresses.  I don't really care about those rules unless they somehow after 6 years are preventing our web access to the LAN address.

Derelict

My money's on some other rule somewhere. Do Diagnostics > Command prompt and cat /tmp/rules.debug and send that to me in a PM.

Nothing shows up in the firewall log for these failures?

Is 192.168.1.165 listed in Diagnostics > Tables sshlockout ??

3zzz

Correct, nothing in the firewall log.
sshlockout table -> No entries exist in this table.

I'm about to go out for a few hours but I'll be back later and really appreciate your help.

Derelict

This is your problem:

LAN = "{ em1 }"

rdr on em1 proto tcp from any to 192.168.1.1 -> 192.168.1.7

Find that port forward. Actually that is probably a 1:1 NAT.

You should probably check that these are necessary and doing what you want too:

rdr on em1 proto tcp from any to 192.168.1.1 -> 192.168.1.212 port 22
rdr on em1 proto tcp from any to 192.168.1.1 port 21255 -> 192.168.1.241 port 3389

johnpoz

"I don't really care about those rules"

While your at it - might well clean up the the rest of those rules that are completely pointless.  You don't care that there are rules that don't do anything??  Maybe that is part of your problem lack of understanding how the rules work?

"just leave well enough alone."

Another issue if you ask me..  What I would do after you fix this big issue is address all your rules, what do they do - are they need still do they even do anything..

"experimenting trying to get this to work"

This points to a BIG problem if you ask me.. Why would you be experimenting?  You experiment on the recipe for the perfect pasta sauce or cupcake.  When it comes to firewall rules there should be no experimenting.. You either understand how they work and what is needed to allow or block what you want or you don't.  If you don't - that is a problem!!

In wha scenario is that 67.166.x.x address going to be both a source and or a dest address?  In those first 2 rules?  Your lan is 192.168 - how would there be a packet inbound to the lan interface from that IP?  Dest ok maybe.  But seeing that its listed as a source along with those rules to dest IPs that are in the same local lan network to allow printing??

3zzz

@Derelict:

This is your problem:

LAN = "{ em1 }"

rdr on em1 proto tcp from any to 192.168.1.1 -> 192.168.1.7

Find that port forward. Actually that is probably a 1:1 NAT.

You should probably check that these are necessary and doing what you want too:

rdr on em1 proto tcp from any to 192.168.1.1 -> 192.168.1.212 port 22
rdr on em1 proto tcp from any to 192.168.1.1 port 21255 -> 192.168.1.241 port 3389

There's only one rule involving that ip address (192.168.1.7) and it's on NAT.
It should only listen on one specific port, so not sure why it would cause the problem.  Update: I deleted that rule and still can't access on the LAN address.  Further update; I removed another similar rule and now I can access the LAN ip.

Those other rules are appropriate.  Thank you so much for your help Derelict!

3zzz

To summarize the cause, before the move there were two upstream ISPs connected and after the move only one.  Some rules that applied to the defunct ISP interface somehow got automatically converted to listening on the LAN interface, once I removed those rules the LAN interface started responding normally.

Thanks again Derelict for your help tracking this down!!!!

cheers

Derelict

somehow got automatically converted
[/sigh]

Sigh.

3zzz

@Derelict:

somehow got automatically converted

Sigh.

well they weren't changed by me, i'm not on site, if you're sighing then i imagine the guy who moved it must've done something, I'm just trying to figure it out remotely after the fact, in which I have now succeeded thanks to your help.