I'm missing something... trying to log into company web internally opens up firewall
-
@bmeeks
I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable Forwarder -
Does your website resolve?
Can never get there if it doesn't resolve.. If this is hosted behind pfsense at your office then you would have had to setup port forwarding..
If you can get to other sites, then I would assume your office site not setup correctly to allow public access to this webserver behind pfsense at your office.. So no you wouldn't be able to get to it anywhere..
is this your site? http://www.xenetech.com/
I can get there. it resolves to
C:\>dig www.xenetech.com ; <<>> DiG 9.16.4 <<>> www.xenetech.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54935 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.xenetech.com. IN A ;; ANSWER SECTION: www.xenetech.com. 7155 IN A 70.169.64.116 ;; Query time: 5 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sun Jun 28 21:02:15 Central Daylight Time 2020 ;; MSG SIZE rcvd: 61
Is that hosted from your office with your pfsense at the office having that 70.169.64.116 on its wan?
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
@bmeeks
I am connecting it to the LAN side of my network. After the reset, I set up the WAN and DHCP and put the LAN to a generic setting. My laptop is plugged into LAN1 and the local LAN is plugged into the WAN of the NetGate. That is all I changed. This time using the wizard I didn't give it a DNS just to see what would happen. I can get to the network (I'm answering your msg with my laptop) I can go to any site I wish except my works website. On my initial setup at the office When I first used the wizard I put as my Domain our website of xenetech. I've tried using Googles DNS, I've tried checking and unchecking DNS Override and Disable ForwarderWell, if you have brought home the firewall where you had the port forwarding configured that was allowing external access to your web server, then it stands to reason that now that web server will be unreachable from the Intenet since pfSense at the office is gone. Or did I misunderstand what you meant by "I brought the NetGate firewall to my house because I got frustrated at work."?
From your original post I assumed you hosted the web server on your office LAN and had NAT port forwarding rules configured to send HTTP and HTTPS traffic to the internal LAN IP of the web server. Did I misunderstand that?
-
@bmeeks
Sorry, I forgot to add that I put back in our old SonicWall firewall that still works. It's an older one and is in EOL. I wanted to get the new NetGate up and going before we were down due to a hardware failure. This way if things took longer for me to get the new one set up then I could still fall back on the SonicWall and not have out company down. Good thing I did.I am going to try a full flash drive restore on the NetGate I received from tech support. Maybe this will fully clean the system and restore it truly back to factory specs.
-
@johnpoz
Please note that I am no longer at the office. I have reinstalled the older working SonicWall while I find out what the issue is.Yes, xenetech.com does resolve as you have noted. In my home lab, I have the NetGate set to a factory reset and connected to my internal LAN. I have the WAN side on the NetGate set to DHCP and the LAN set to a standard address of 192.168.100.1 I did not set a domain nor did I set any DNS this time when I did the wizard setup. Before connecting the NetGate to my home LAN, my home laptop could resolve to my works website of www.xenetech.com with no issues. once I install the NetGate to my Home LAN, and connect my laptop to the LAN of the NetGate I can get onto the internet with no issues. I can get to google.com, homedepot.com etc. however I cannot get to my works website xenetech.com unless i type in the address of 70.169.64.116
This leads me to believe that there is something still set internally wrong in the NetGate that did not get "reset" when I did the restore to ractory form the console.
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
did not get "reset" when I did the restore to ractory form the console.
Makes no sense... if your saying it resolves.. And you can get to other internet sites.. There would be nothing in a default install of pfsense that would say - nope going to let you get to IP address 1.2.3.4, but not this site on 4.5.6.7
And now your saying you can get there if you put in the IP.. So that points to it NOT resolving..
In pfsense -- do a dns lookup in pfsense?
-
@johnpoz
I'll try to make it more clear. I believe the misunderstanding is because some of my messages are from when I was at my office and others are from when I am at home.Right now I am at home. I work from home and my normal work "office" is in Baton Rouge about 35min away. My work is currently running a Sonicwall firewall the is on its EOL. I am wanting to replace it with a new NetGate SG-3100
I am doing all of my latest testings from home. With the NetGate not connected at home, I can open my browser, chrome, and I can connect to my works website with no problem using www.xenetech.com So it resolves correctly from my home when the netgate is not connected.
Now, I connect up my netgate 3100 at home via a console connection and select to do a factory reset. after some time it resets and is ready to go. I then disconnect my laptop from my home network and connect it to the newly reset sg-3100. I type in 192.168.1.1 and log into the 3100 I proceed with the generic wizard setup. I select DHCP for the WAN and 192.168.100.1 for the LAN. everything else is just the defaults, no nats nothing. I then proceed to connect my home LAN to the WAN of the netgate and my laptop to the LAN of the netgate. I open chrome and I can get to any site I want to except www.xenetech.com
Yes, you are correct. This makes no sense. I should be able to get to any site that worked before I connect the netgate. This is why I'm saying something must not be getting released/reset from my original setup try while I was at my work when I first tried to set this up on site. I went into my work a couple of weeks ago and tried to set this up. There were several places where I believe I mistakenly put in my website address when I should have only put in my domain name.
ever since that first setup try I've had nothing but problems.This is why I am going to try a USB flash restore to set the box truly to factory (I hope) Now I may be mistaken and just a stupid when It comes to working with the netgate but am I wrong in assuming that I should be able to get to xenetech.com from my home when going through the netgate from a fresh setup with the WAN set to DHCP and LAN set to a basic address? Netgate not Installed I can pull up xenetech.com, netgate installed I cannot.
I'll let you know what happens after the flash of the firmware.
Regards,
-
@JLundberg:
This behavior would indicate to me that perhaps there is a lingering definition somewhere in the DNS Resolver configuration on the SG-3100 that is pointing to the internal web address of your web server. I would expect the factory reset to get rid of that, but perhaps it's not doing so for some reason. Setting the domain name within the SG-3100 (and potentially within the DNS Resolver) like you did may also come into play here.Log into the SG-3100 web GUI and then go to DIAGNOSTICS > DNS LOOKUP and then attempt to lookup www.xenetech.com. See what the firewall comes back with, if anything. On my personal firewall, that URL resolves to 70.169.64.116.
-
@bmeeks
The lookup always comes back fine.
Now get this. and this is my mistake for not trying earlier, however, I don't understand it... I tried using google again right after the lookup and it still did not go to the website. Then I tried Edge, it goes to it correctly. I can pull up my works website with Edge but not google. when the netgate is connected. If the netgate is not connected both work fine.
-
@JLundberg said in I'm missing something... trying to log into company web internally opens up firewall:
@bmeeks
The lookup always comes back fine.
Now get this. and this is my mistake for not trying earlier, however, I don't understand it... I tried using google again right after the lookup and it still did not go to the website. Then I tried Edge, it goes to it correctly. I can pull up my works website with Edge but not google. when the netgate is connected. If the netgate is not connected both work fine.
That really makes no sense to me. If the pfSense connection works for Edge, it should work with Chrome as the browser since pfSense itself is 100% browser agnostic.
With pfSense in the loop, you will have double-NAT, but that should not matter to the browser at all. Could you perhaps have been staring at this problem for too long and maybe you are now overlooking something that would otherwise be obvious ???
At this point you might want to do a packet capture on the WAN and LAN sides of the pfSense box and repeat your tests with Chrome and Edge. Compare the results. Maybe that will uncover the issue.
-
@bmeeks very good answer! Thanks,
-
@bmeeks
I'll have to look at the packet capture to see what is going on at this point. I set everything up this morning again fresh with just the very basic default settings on the netgate box and this is what I have found. no netgate installed on my home network I can connect to my site with chrome and edge. put in the netgate and only edge will see my site. I tried to do a reinstall from the flash image and it gave me ad error not being able to read the drive. I followed the support link and used the program they suggested to image my flash drive and it did fine even it's test said it was fine. So I'm now looking for a new flash drive to retry to redo the image.I know you guys think I'm missing something simple because what I'm telling you just can't happen... Well if it can it will happen to me. I really can't tell you any more then what I have and I almost went through writing my last couple messages as I was doing it here at the house. I don't know how much more of a basic setup I can get. I'll shutup :-) once I'm able to get a new inage on my box to see if that has anything to do with something residule not being reset.
But like you said, the browsers are supposed to be 100% agnostic. so something is going on here. if I can do a lookup and it comes back fine then why shouldn't both browsers act the same.
Thank you for all your comments. I will do a packet capture and see what's going on. too weird.
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted!