Can't reach own server (HTTP) from outside the network
-
Dude. Did you go through the checklist here?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
That covers about every possible thing that could keep your port forward from working.
You are getting pretty clicky-clicky. There is no reason to dork with NAT reflection when testing from outside. There is no reason to change the associated filter rule from Create associated rule to Pass. This stuff really does work. If you do the basics and it does not work it is probably something in the troubleshooting checklist posted earlier.
-
Dude. Did you go through the checklist here?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
That covers about every possible thing that could keep your port forward from working.
Yes dude, I checked the checklist here, client allows port 5050 in the firewall, client has default gateway address pointing to the pfsense router, ISP doesn't block it (it worked with my previous router), there's a router before pfsense too (my modem) and there the port forwards are also set (I left it like it was with my previous setup that worked), I have no virtual IP, that may be the problem maybe? The WAN connection is set as the default gateway. I can access the website through LAN. WAN rules don't have a gateway set.
Really, I checked it and it seems to be configured correctly, I just followed the guide on portforwards in pfSense and did exactly like the guide said.
I understand that you might be a bit frustrated because you might think that I'm not listening to you, but I am, I want this problem to be solved too and I'm doing all the suggestions you give me, thanks BTW.
At first I though it might be a DNS problem, but when I try connect to the website via IP address it also doesn't work.
-
My problem is if you had done all that it would be working.
Guess packet captures of connection attempts on all the pertinent interfaces are in order.
Anything interesting in the firewall logs filtered on port 5050?
-
I cleared the log file in Status > System Logs > Firewall > Normal View, then I browsed to the website on port 5050 (WAN1) and there I no entry in the logfile for that port.
I attached screenshot of a part of the log file.
If the firewall doesn't block it, does that mean that the portforward is correctly configured and that it is another problem?
Sorry, i didn't filter it, but i attached a filtered view, no entries….
-
Or it means the traffic is not arriving on WAN1 in the first place. I would packet capture on port 5050 on WAN1, attempt again, and see what it shows.
-
Yes, you are right, no packets are captured on port 5050,
So it is a problem with something else…
Attached is how my setup is configured
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
It must be in the upstream device. Have to look there. pfSense can't do anything with packets it doesn't receive.
-
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
If 109.134.116.205 is not WAN1 address your port forwards won't match.
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
By old IP address I mean, I got this IP 109.134.116.205 on WAN1 (PPPOE), the I rebooted pfSense and I got the 81.240.101.105 as public IP, so why is there an previous IP in the packet capture
edit,
Ok so I went to http://81.240.101.105:5050/ and now I get this:
11:52:55.236104 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:56.242128 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:58.255926 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:53:04.169001 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:05.177315 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:07.177541 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0But the 192.168.1.2.5050 should be 192.168.1.3:5050
That was the old config (resetted the backup) TIME FOR A REBOOT
-
So if you think packets are arriving on WAN1 properly, then the next step is to capture on whatever interface is connected to 192.168.1.2, filtered on port 5050, attempt again, and see what it shows.
-
After reboot I get this:
11:59:04.197040 IP 91.179.143.196.20247 > 192.168.1.3.5050: tcp 0
Now 192.168.1.3 is correct!
Still no page to be seen (can't reach this page)
-
People and their cockamamie ISPs and their cockamamie setups. Lord help me.
What does pfSense think its WAN1 address is?
-
I did like you asked me, I set the interface on LAN in the packet capture, now it shows this:
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
-
People and their cockamamie ISPs and their cockamamie setups. Lord help me.
What does pfSense think its WAN1 address is?
See attachment
-
I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.
-
I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.
Ok, thanks anyway, the only thing I didn't say is that I have a Multiwan setup (loadbalancing + failover wan1 + failover wan2)
-
In your drawing you show "modem" with port forwards enabled?? But then you show pfsense with public IPs on its wan.. That makes NO sense..
So your outside and trying to go to your wan1 IP 91.179.143.196.5050
And you want this 5050 to be forwarded too 192.168.1.2 that is what you show in your port forwards..
When then why do you show this traffic on your lan from some other box?
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0What is this 192.168.1.36 machine? He is trying to access your public wan IP from inside your network, so you want nat reflection to work?? If you want box on your network to talk to 192.168.1.2 why do you not just talk to it directly vs going to your wan IP via I am guessing some dyndns fqdn that points to your wan??
The traffic your interested in would be coming from some public IP going to your 192.168.1.2 box that you say is not working.. Well sniff on your wan using this 192.168.1.2 as the host IP or the public IP your coming from in the packet capture filter so you don't see data that is not what your looking for.
-
Yes the modem doesn't do anything anymore except for some routing, the PPPOE sessions are established on the pfSense router, not on the modem, so the public wan ip's are on pfsense.
I wanted to show that I can access it via LAN, so what I did was packet capture on lan, then I went to 192.168.1.3 (not 2, this was wrong) and these were the results I got…
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0EDIT, did the same today and I got no packets, even though I can access the site via lan (192.168.1.3:5050), I see the site... So I guess that was some left over crap
If I do packet capture on WAN1 and go to my WAN1 public IP (91.179.143.196:5050) then I get these results, this was 10 min ago:
11:51:45.744238 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
11:51:46.755526 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
11:51:48.757056 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
-
Dude how are you going to your public IP – from a Box inside your network our OUTSIDE.. If you want to test port forwarding you need to come from outside. If your inside going to your wan IP that is a nat reflection for port forwarding to work, and is quite often a fail.
If you sniffed on your lan and were coming from outside and you see the traffic going to the IP and port you want IE 192.168.1.3.5050 and you don't get a return then box didn't answer you, or he sent it to a different gateway?
Have you gone through the port forwarding troubleshooting guide. It really is 1 min to troubleshoot why a port forward might not work.. What I can tell you in all the time I have been here, and all the posts about port forwarding is its always PEBKAC!! Forwarding to wrong IP, firewall on the box your forwarding too. Service not running or listening on the port being forwarded too. Going to the wrong IP, pfsense behind a double nat, isp blocking the port from even getting to pfsense, etc. etc. etc..
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
If you see traffic on your pfsense lan sending to where you want, and you don't see an answer either the box isn't listening on that port, your sending it to the wrong box?? Or the box sent the answer elsewhere.. None of which has anything to do with pfsense.. From that sniff you show it sending traffic to 192.168.1.3:5050 -- where is the response?? Since on 192.168.1.3 now does actually see the packets.. Maybe you have dupe IP issue and pfsense sent traffic to wrong mac?
-
Holy crap, it works, I was testing from inside, not from the outside. I switched off wifi on my phone, went to the wan1 ip and TADA.
So indeed it was PEBKAC, I am turning red now. Well on my previous setup I could access the sites from inside too, so that's why I thought it would work also and never tought to try to access it from the outside.
No way to make it work so that I can access the sites from inside too? Anyway, I'm already glad I can access them from outside.
-
dude I just did a scan on your IP.. And yeah its open to the outside
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-25 05:19 Central Daylight Time
Nmap scan report for snipped-179-91.adsl-dyn.isp.belgacom.be (91.179.snipped)
Host is up (0.066s latency).
Not shown: 992 filtered portsPORT STATE SERVICE
21/tcp open ftp
80/tcp open http
139/tcp closed netbios-ssn
443/tcp open https
1433/tcp open ms-sql-s
1723/tcp open pptp
5050/tcp open mmcc
8080/tcp open http-proxyNmap done: 1 IP address (1 host up) scanned in 13.00 seconds
139 prob shows block because I block that outbound on purpose because of how stupid windows is ;)
Dude having so much open is not a good idea.. So just try and log in and hit this server all day long with the administrator password. Your mssql is open to the public internet 1433..
Why do you have pptp open?? Just use openvpn to pfsense!! and then hit all your shit.. I can see having plex open 32400, but why all these other ports.. Its a BAD BAD BAD idea to open such services to the public net unless you know for sure what your doing.. And from this thread I would have to say that is not really the case.
As to stuff working from inside, go to the local IP or set up host overrides so your public fqdn resolve to your internal IPs when your internal. Nat reflection is actually an abomination that should be avoided at all costs! ;)
Also might be good idea and edit/remove the stuff showing your public IP..
-
I'm not too worried, it's a home server with some movies and sql is for testing purposes, nothing is in production on my server and the data is not interesting. Also, my public ip is dynamic, I already changed it.
Thx anyway for your concern.
-
"I'm not too worried,"
Wow.. and this is why we have all the noise on the net in the first place.. If scanning for open stuff didn't return anything open then there wouldn't be any point of scanning. Just like spam… That 1 guy that responds/follows link they get in some junk email for every billion sent out is why they continue to send more and more of it..
Wonder how concerned you will be when they fill up your space because you have ftp server and they like to use it store their junk. Or once they login into your box and install some crap and now it phones home and gives them access when ever they want no matter what your IP changes too and your part of their bot net doing ddos for anyone that will pay 10 cents a node.. And your pipe is full and can not use it, or your isp contacts because of it, etc. etc.. Or when all your files get encrypted and they want $500 to unencrypt them. Or you wonder why your cpu is 100% all the time because its mining for bitcoin, etc.
I have nothing of interest, my IP changes -- well shit why you need a firewall at all then? ;) Good luck.. Who wants to start a pool on how long it takes for his system gets owned? If it isn't already ;)
-
I've been working 4 years as service desk, did server administration during that time, now I've been consultant web dev for another 5 years, I'm pretty sure I know that letting some ports open for test sites and a few basic applications isn't the end of the world. In what world do you live in where you think every pc connected to the web will be infected or hacked, chill man… If I see suspicious activity I will close them and find another solution, but these are just test sites to show the client the progress man, no worries. And yeah, on the second server I run couchpotato, plex etc. Don't think these Windows server 2012 r2 servers are not configured and fully unprotected.
Anyway, let's just agree to disagree and leave it at that. I came here for a problem I tought was pfsense, or a faulty set up, but finally it was a mistake at my end...
-
Hey dude its your box - leave all the ports open.. its no skin off my nose that is for sure.. Just trying to offer some advice is all.
