1 public IP mapped to a private machine's IP address. How to make it work?
-
Hello,
I have set a pfsense setup with my home comcast public dynamic IP address. Modem –> WAN --> OPT1 and WAN --> LAN. I have a domain name mapped to WAN IP which is 52.102.x.y(comcast public IP) on the namecheap. Attached is a screenshot of my setup
I do have a machine with IP 10.1.10.102 and nginx running in the OPT1 interface with port exposed 80. I can reach this ip from a browser on any interface using http://10.1.10.102 or using curl from command line. I was able to curl from pfsense VM, and also a machine in LAN interface. I have a NAT configuration on WAN interface. I tried many combinations with it like any to OPT1 address/net and target to one ip address. Attached screen shoots
But when I go...www.example.com(actual name supressed) which is mapped to public ip. I get a error instead of seeing a nginx success page. Could someone please put me on right direction? Or if it is possible or not. d-dns looks tedious to me. All I want a public domain mapped to my home server.
Thanks!
![Screenshot from 2017-03-10 17-36-01.png](/public/imported_attachments/1/Screenshot from 2017-03-10 17-36-01.png)
![Screenshot from 2017-03-10 17-36-01.png_thumb](/public/imported_attachments/1/Screenshot from 2017-03-10 17-36-01.png_thumb)
![Screen Shot 2017-03-16 at 9.52.17 AM.png](/public/imported_attachments/1/Screen Shot 2017-03-16 at 9.52.17 AM.png)
![Screen Shot 2017-03-16 at 9.52.17 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-16 at 9.52.17 AM.png_thumb) -
Exactly the same text content as in Routing and MultiWAN: https://forum.pfsense.org/index.php?topic=127397.0
??Try to access the web server by typing your external IP in the browser.
If you still cant reach the it use Packet Capture from pfSense Diagnostic menu to check if packet are forwarded to you by your ISP. Select WAN interface and port 80 and start the capture and try to access the website from the internet, stop it then and look if packet are shown. -
You must change the value of Dest. Address 10.1.10.102 to Interface Address(Public IP Address assigned to the WAN interface) to make it works.
If you try to reach the webserver from WAN via www.example.com, incoming packets to WAN will have their destination as the public IP, not 10.1.10.102.
Then pfSense will NAT these packets by the port forward rule, translating their destination to 10.1.10.102 and after that, it will resume filtering and routing them.
Also only setting that rule will not make the webserver accessible from any nodes from OPT1 or LAN via www.example.com name.
You will need to add more rules with everything same with the corrected WAN port forward rule but with different interfaces, each ones for LAN, OPT1.However for the efficiency you may want to just use 10.1.10.102 inside OPT1 network for accessing the webserver or just want to set up another DNS server exclusive for that network.
-
Exactly the same text content as in Routing and MultiWAN: https://forum.pfsense.org/index.php?topic=127397.0
??Try to access the web server by typing your external IP in the browser.
If you still cant reach the it use Packet Capture from pfSense Diagnostic menu to check if packet are forwarded to you by your ISP. Select WAN interface and port 80 and start the capture and try to access the website from the internet, stop it then and look if packet are shown.The link you have posted led to a dead link :(
I see the packets in the Packet Capture. Thanks for the info.
-
You must change the value of Dest. Address 10.1.10.102 to Interface Address(Public IP Address assigned to the WAN interface) to make it works.
If you try to reach the webserver from WAN via www.example.com, incoming packets to WAN will have their destination as the public IP, not 10.1.10.102.
Then pfSense will NAT these packets by the port forward rule, translating their destination to 10.1.10.102 and after that, it will resume filtering and routing them.
Also only setting that rule will not make the webserver accessible from any nodes from OPT1 or LAN via www.example.com name.
You will need to add more rules with everything same with the corrected WAN port forward rule but with different interfaces, each ones for LAN, OPT1.However for the efficiency you may want to just use 10.1.10.102 inside OPT1 network for accessing the webserver or just want to set up another DNS server exclusive for that network.
I have changed the destination address in the NAT rules to my public IP. NAt ip is set to OPT1 host 10.1.10.102. On the browser or cmd curl http:// <mypubip>doesnt lead me anywhere :-(</mypubip>
-
Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself. -
Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself.Im not testing from pfsense host. Its reachable from pfsense host.No problems hitting it from within private network whatsoever.
Failing case scenario:other computers with different ip(from work). Outside network –> my home public ip
-
I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?
-
I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?
When I ran the commands from the pfSense host,
tcpdump -n -i xn0 port 80output: 11 packets captured
492 packets received by filtertcpdump -n -i xn2 port 80 && host 10.1.10.102
output: 86 packets captured
3773 packets received by the filterfrom the webserver,
tcpdump -n -i eth0 port 80output: 0 packets captured
I have attached the output of netstat on webserver instance which shows the ports are open and also attached the nat settings and interface settings on pfsense. I have hid my public ip on 2nd attachment
thanks for all the suggestions!
![Screenshot from 2017-03-22 20-18-55.png](/public/imported_attachments/1/Screenshot from 2017-03-22 20-18-55.png)
![Screenshot from 2017-03-22 20-18-55.png_thumb](/public/imported_attachments/1/Screenshot from 2017-03-22 20-18-55.png_thumb)
![Screenshot from 2017-03-22 20-36-57.png](/public/imported_attachments/1/Screenshot from 2017-03-22 20-36-57.png)
![Screenshot from 2017-03-22 20-36-57.png_thumb](/public/imported_attachments/1/Screenshot from 2017-03-22 20-36-57.png_thumb)
![Screenshot from 2017-03-22 20-37-58.png](/public/imported_attachments/1/Screenshot from 2017-03-22 20-37-58.png)
![Screenshot from 2017-03-22 20-37-58.png_thumb](/public/imported_attachments/1/Screenshot from 2017-03-22 20-37-58.png_thumb)
![Screenshot from 2017-03-22 20-38-29.png](/public/imported_attachments/1/Screenshot from 2017-03-22 20-38-29.png)
![Screenshot from 2017-03-22 20-38-29.png_thumb](/public/imported_attachments/1/Screenshot from 2017-03-22 20-38-29.png_thumb) -
When you were running tcpdump, you could see each packet's logs.
Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80? -
Do NOT set a source port on your port forward.
You had to click advanced and ignore this to get where you are right now:
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.
-
Do NOT set a source port on your port forward.
You had to click advanced and ignore this to get where you are right now:
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.
This setting did it! Thank you!
-
When you were running tcpdump, you could see each packet's logs.
Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80?Thank you for the all responses and suggestions! Helped me debug network