Enable internet access from LAN
-
@stephenw10
ok, This a query using dig while using the DNS resolver of pfsense
And this is WAN rules, and NAT
,
Those internal machines are virtual machines that I have built them behind the pfsense. Do I need also to build the external machines for the external IPs?
for the web and the email server?. I have built an external vm with and IP:104.x.x.z from this machine I can ping the pfsenseWAN address. -
And how exactly is this 104 box doing a query to 192.168.1.1... Their default gateway is pfsene wan IP...
You show zero hits on any of your wan rules..
How about you draw up how you have this put together... Cause I don't see how devices on a 104 school network would be pointing to pfsense wan as their gateway.. Or how they would query a rfc1918 address for dns.
If anything would be a asymmetrical mess..
-
Ok, the port forward rules and linked firewall rules look good though.
Where are you testing it from? What IP? I assume that 104.x.x.x IP is the schools external public IP, not the pfSense WAN?
Test from something on the pfSense WAN subnet to the pfSense WAN IP address directly and it should work.
Steve
-
According to him the 104.x.x.x/24 is his pfsense wan.. And yeah its his school network..
-
Ah, yes. Ok then test from that subnet to the IP directly, with those rules it should connect.
-
Thanks
Still doesnot work, I tested it from an external builted vm machine with IP 104.x.x.15 with gate way =104.x.x.254, although I can ping the external mail server address:104.x.x.35 but cannot connect to it!!!
could you please let me know what can be the problem?
-
There is all kinds of things that could be the the problem.. That just means your pinging something 104.x.x.35... Why would you think that would be your mail server if its behind pfsense, is that pfsense wan IP.
Which I doubt - since from you rules on your wan your not allowing to ping its wan ip.. Or any icmp even, so highly much doubt that is even psfense.. And sure isn't something behind it, etc. etc..
If you want help - I suggest you get with your teacher.. I'm not here to teach a class in basic networking, so you can get an A..
To troubleshoot port forwarding.
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.htmlBut again, from what you posted I highly doubt that .35 is even pfsense wan IP... Since you do not allow that on your wan interface - so you wouldn't get an answer if you pinged it..
-
I agree. If you're genuinely testing from the WAN subnet and the pfSense WAN IP is 104.190.x.35 then your firewall rules should be blocking that ping.
So either you're pinging something else or you changed the rules since you last screenshot.
Steve
-
@stephenw10
yes I have only changed the WAN rules to alow ICMP.
.
thanks -
Ok, what ports do you have in the
web
alias? -
-
Ok it looks like your port forward for that server is listing at 104.x.x.5 but you are trying to open 104.x.x.35.
Is that just a typo? Correct it if so.If it's a VIP on the WAN then try to open that IP.
Steve
-
@stephenw10
I have 2 servers, one is web sever has external IP 104.190.X.X.5 and internal 192.168.1.5, second is mail server has external IP 104.X.X.35 with internal IP 192.168.1.5, I want both be behind pfsense and accessible from outside through port forwarding
yes I have virtual IPs
sorry, what do you mean by opening that IP?
do you mean set a LAN rule with destionation address =104.x.x.5 ? -
@maale
Sorry, I mean a WAN rule -
I mean try to open the page by IP address directly rather than URL which would need to resolve.
Both those IPs look like they should work though assuming the server can respond.
Check the pfSense state table in Diag > States while you;re testing. You should see the states on WAN and LAN complete with NAT on WAN.
Steve
-
So what is your actual IP of your pfsense wan? You have vips of .5 and .35 - what is the actual IP?
Have you gone through the troubleshooting doc I Linked too - finding the issue with port forwarding is 2 minutes work tops!!! do a sniff do you see the traffic on your wan or not? Sniff on lan - do you see it send the traffic on?
For all you know the traffic is being forwarded and your system your forwarding to firewall is blocking the traffic - very common!!!
-
@johnpoz
Thanks!The problem was that the routing environment doesnot support Virtual IPs.
All traffic should be hit the pfsense WAN IP at 104.x.x.10 .So, I have set an external DNS with an IP 104.x.x.25 with my domain and records www.x.av for web server and mail.x.av for mail server, with port forward rules.
Now from an external machine 104.x.x.15 using the domain www.x.av I can access the web server, but using the domain mail.x.av, this directs me to the same webpage for the web server but not for the mail server. Is NAT reflection what I need to do? -
@maale said in Enable internet access from LAN:
routing environment doesnot support Virtual IPs.
Huh - that makes no sense at all.
Is NAT reflection what I need to do?
No its not... if you want host.domain.tld to get sent to X, and other.domain.tld to get send to Y behind pfsense then you need to use multiple wan IP, vips or not... Or you need to hit different ports in your url, or you need to setup a reverse proxy to know that host.domain.tld goes to X and that other.domain.tld goes to Y.. Look at the HA proxy package.
-
@johnpoz
I mean the lab routing environment.
ok I look for the HA package -
Lab routing environment or real routing environment... Has zero to do with anything - an IP address that is in same network, has zero to do with routing...
-
Mmm, that.
Why can you not use multiple IPs on WAN? What VIP type were you trying to use? Use IPAlias if you were not.
Steve
-
Maybe he meant their virtual environment that pfsense is running on? Maybe issues with vips in some VM setups, where you might have to do some promiscuous setting. But if VM, he could just create some new virtual interfaces and since he is using dhcp in this network.. He could have 3 different wan interfaces using 3 different IPs and then port forward..
-
@johnpoz
I am trying to install the HA proxy package, but I cannot see any packages listed. could you please let me know why? I can connect to www.pfsense.org successfully. And I have installed bind package before, but now a I cannot find available packages
-
That because your pfsense install can not resolve most likely, since you prob installed bind and F'd it up..
Go to diagnostic menu, dns - lookup up something.. what does it show..
You connecting to something is completely different than pfsense resolving something.. What is your client using for dns, what is pfsense?
-
@johnpoz
I am using the pfsense DNS resolver and other 2 external DNS servers. diagnostic menu, dns - lookup google.com, gave no response from 127.0.0.1 but response from one of my external servers with google's IP address. -
@maale said in Enable internet access from LAN:
I am using the pfsense DNS resolver and other 2 external DNS servers
Not how it works - you are either resolving, or your using external dns via forwarding..
Your resolver is not working most likely because whatever network pfsense is on is prob blocking direct dns queries - and only allows access to googledns or whatever.
So change to forwarder mode..
-
@johnpoz
Thanks so much, now I can see the available package list -
@johnpoz
Because I am using the same domain name for my internal and external services, I have used the bind9 package to set split DNS as follows and it works fine to resolve inside LAN and outside. All services from outside have pfsense WAN address.
This is first zone file for internal addresses.
This is the second zone for external addresses.
I also have set a NAT rule with destination= 127.0.0.1 port 53 in the LAN and WAN interfaces. So that split DNS works fine.
Because all services have pfsense WAN address I used the squid reverse proxy package with the web and mail servers at 192.168.1.5 and 192.168.1.35. I want www.x.av goes to the internal web server at 192.168.1.5 port 80. And https://mail.x.av goes to the mail server at 192.168.1.35 port 443 and 143.
. I set a WAN rule with source any destion :this firewall port 80 so that the traffic goes to the squid reverse proxy. That doesnot work for me, from outside I cannot access any of the two servers! Could you please let me know what is wrong with this setting?
Thanks. -
You don't need bind to do split dns... And its at best problematic use the same domain internally as you do externally..
-
@johnpoz
so I can use the pfsense resolver and add hostoverides e.g www.x.av IP 104.x.x.10 ? or it is better to built an exteral dns for external quiries? -
What boxes exactly are going to be using pfsense as their dns? Your saying your going to make it the authoritative ns for your domain on the public internet? BAD IDEA!!
If your going to do that, then you would for sure have to setup different views..
-
@johnpoz
yes I have set up 2 zones with 2 views. Bind works fine, but my setting for the reverse squid proxy doesnot work. -
Not sure how your going to get port 143 to work... IMAP doesn't send headers that a proxy can look at to see where it should go, etc.. That would be port based normal forward.
You would use reverse proxy or ha proxy (reverse) for stuff that sends headers - http/https
-
Why are you port forwarding DNS to localhost?
Is that service on port 143 really https? Or IMAP which, as Jogn says, should not be proxied like that.
What is that NAT rule on WAN for port 80?
Many questions...still.
Steve
-
@stephenw10 said in Enable internet access from LAN:
What is that NAT rule on WAN for port 80?
That's easy : the GUI-from-WAN access rule.
-
@stephenw10
Why are you port forwarding DNS to localhost?
So that any internal or external DNS query will be directed to the local host since I am using bind.
What is that NAT rule on WAN for port 80?
I am using WAN rule source any destination: This firewall, port 80, so any traffic will be directed to the reverse proxy.
The mail service has many listening ports:25,110,143. I have a self signed certificate for that page HTTPS.
So in the setup for webservers on squid reverse proxy I set the protocol for mail server at 192.168.1.35 as HTTPS and the port is 143. is that wrong?
-
a self signed cert on a imap 143 port ?
imap 143 is the 'clear text' version. If you want to use TLS for IMAP you would be suing 993.
pop and TLS : 995
Mail clients that send mail should use 587 (TLS possible but now needed) or even better : 465.Port 25 : should be used only for inter mail server communication. This port was never intend to be used by mail clients. It's so wrong to do so.
Very soon, ports like 80, 110,143 (21) etc will be out of business for good.
Remember : you have a web site on port 80 ? Google won't index you any more.Btw : Modern 'fat' mail clients like Outlook don't even accept self signed certs any more. Maybe, if you imported the CA ans stamped it as 'trusted' you might get away with it.