Issue connecting to server behind firewall from outside (SOLVED!)
-
I have a WAN rule allowing traffic to the stream server's public IP on port 8000 (the streaming media port for my Icecast server)
Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.
-
Here are the images:
NAT Configuration:
Orange (Network B) Firewall rule:
WAN Firewall rule:
I did look at the port forward troubleshooting, I had already done some of those steps. There is a temporary any any rule on subnet B, and it can hit anything.
Since posting, I did tear out the rules and NAT configuration and re-added them, this made one minor difference - I can now ping the WAN upstream gateway, however I cannot ping outside my networks - for example to Google.com. THe name resolves, but I get no responses. Still nothing in the firewall logs.
-
Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.
I modified the WAN rule with no change. Still can't get to the internet from the stream server nor can I reach the stream server from the internet.
-
Then you have more wrong.
Can you ping outside addresses if you choose the outside VIP you are 1:1 natting as the source address?
Post up the screen shots. 1:1 NAT, firewall rules on both outside and inside addresses.
Be sure the inside host has pfSense as its gateway.
-
Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24? You have it obscured as if it were public.
-
I cannot ping outside addresses from the VIP.
I posted the images of the 1:1 NAT, WAN and ORANGE (network B) rules above.
To add to the weirdness - if I disable the static DHCP mapping, and allow the server to obtain an address on the ORANGE subnet, I can get outside just fine. It almost seems as though this specific IP address is being blocked somewhere.
That part of all this that has be bothered is that it was working fine up until the hardware issues that caused me to replace the old box. I exported the configuration from the old box then restored it to the new box. All I had to change was fix the interface mapping as the names changed (I.E. from bge0 to em1 for the LAN side). The only thing failing is the NAT for this specific box.
Would maybe trying a different address altogether be something to try? I have one more public address that is unused.
-
@KOM:
Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24? You have it obscured as if it were public.
When I took the screenshot it was public. It is now the 192.168.92.24 address, no change in behavior.
-
I cannot ping outside addresses from the VIP.
Then you need to troubleshoot that.
There is not a lot involved there from the firewall's perspective. It sends the echo request to the ISP and waits for a reply.
-
I'm getting further. I went ahead and changed the addresses - used a new external address and a new internal address. I can now get to internet hosts from the server box, still cannot reach the server from the internet. Ping works from the new VIP address.
Derelict gave me something to think about though. I am going to reboot the router from our ISP. I am wondering if it has something cached with relation to the old VIP address….
-
SOLVED!
First, thanks for the help and suggestions.
It looks like the Comcast router was not passing the traffic to the firewall in the first place. A reboot of the Comcast router later and I can get to the stream server from outside again.
Now to clean up the extra rules I added and update the station's website to show the streams again.
Thanks again for the help and suggestions.
-
Glad you got it working.
(Gee, ISP router/modem problem. Who'da thunk it?)
