External ip -> Router DMZ -> WAN interface -> Exchange 2013 server (OWA access)
-
Well I am getting answer back from your IP on 80, so pfsense is forwarding it.. So any issues you have is elsewhere!
As to 443 I don't show it sending anything back at all.. No syn,ack to my syn…
How are you clients going to resolve your internal IPs if your pointing them too googledns?? So you would have to use nat reflection to get to your stuff.
But I can tell you right now your not even forwarding 443.. So again, for the 3rd time go over the troubleshooting doc!! Sniff on pfsense wan, do you see 443? Do you see it forwarded to your servers IP behind pfsense? If so then pfsense is doing what it needs to do, any errors you are having are not with pfsense.. Pfsense just allows or not allow the packets..
Either way in NO scenario would you forward 53.. Not unless you were wanting to host dns to the public?? Which that isn't working either good thing ;)
DNS - source = * | Dest IP = 192.168.1.9 | Port = 53
NAT port forward DNS - source * nat ip 10.0.11.103 port 53 -
Don't worry about the clients, this is a home network for studying :)
I'll get on with doing some packet sniffing like you mentioned and see where this 443 issue goes, and get back to the post. Thanks for the advice on DNS, disabled 53 rule to dc server now.
Regards,
Ryan -
As to clients I mean the devices on your network.. Clearly this is not a work network ;)
-
Finally we're working!
Like you mentioned we are able to receive a response from my iis on port 80 but nothing on 443, so after reviewing my ssl certificate i realised i forgot to add an A record to my forward lookup zone being the name of the exchange server! Soon as it was added a could see all my services externally.
Thanks John for your responses it has helped me to get a better understanding of how to troubleshoot along with a few DNS pointers.
Regards,
Ryan -
Not sure what you think you got working??
user@ubuntu:~$ curl -I http://alivetech.co.uk/
HTTP/1.1 403 Forbidden
Content-Length: 1233
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 15 May 2017 10:56:16 GMTStill getting 403 from 80, and showing nothing on 443 at all!!
-
I jumped the gun three, after i made some changes i tested external access from a vm on my esxi node which had my LAN dhcp nic connected meaning it was an internal device not external!!
So back to the drawing board :'(
On the brighter side I've got an exchange friend who's going to take a look over my exchange setup to make sure its all good :)
Regards,
Ryan -
Okay then, after reviewing everything and deeming it all to be good i dropped pfsense out of the network and directly configure the servers to go through the routers dhcp.
And presto we can access exchange externally via port 443, so this is where it's getting weird for me; when i have my pfsense included in the equation i am able to access my OWA externally only via port 80 as port 443 will not respond (either exchange server not responding or firewall config).
Shall i post over my firewall config to see if there is anything glaring wrong i've done?
Regards,
Ryan -
dude this is simple port forwards.. nothing more to be honest..
Again I am going to state if your having issues with port forwards go through the troubleshooting doc linked too.
Clearly your port 80 is hitting something running
Server: Microsoft-IIS/8.5But 443 nothing answers.. No syn,ack to syn… So that says to me your not forwarding, or 443 is not even getting to your pfsense to forward.. Or where your sending is not listening on 443..
-
Why DMZ?
Why not just put the TPLink into Modem only and have the WAN address on PFSense. All you need to do then is NAT the ports you want to your server… simples!
-
Well i thought it was simple forwarding as well! ;) i'll go over the troubleshooting guide see if i can nail it down.
For the marjohn's response:
forgive me if i'm wrong but wouldn't i need more than one static ip to do that?
I currently have 212.159.107.105/32
I was under the impression i would need a block of ips so i can assign one to both router and wan interface?
Regards,
Ryan -
You only need one WAN IP.
On your modem you set it to bridge mode, pfSense then handles the login etc, whether it's PPPoE, DHCP or whatever. That WAN address is then set on the pfSense WAN port.
That's it, finished.
-
You can forward lots of ports.. You only need the 2 80 and 443.
So on your isp device in front of pfsense vs doing DMZ host, just setup 80 and 443 as forwards to pfsense wan IP..
-
Marjohn you smashed the nail on the head!
set bridged network from router, config WAN interface for ppp0e and boom we're live 8).
Thanks both, much appreciated.
Regards,
Ryan
