Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't reach own server (HTTP) from outside the network

    Scheduled Pinned Locked Moved Firewalling
    35 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      So if you think packets are arriving on WAN1 properly, then the next step is to capture on whatever interface is connected to 192.168.1.2, filtered on port 5050, attempt again, and see what it shows.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • B
        brechtb
        last edited by

        After reboot I get this:

        11:59:04.197040 IP 91.179.143.196.20247 > 192.168.1.3.5050: tcp 0

        Now 192.168.1.3 is correct!
        Still no page to be seen (can't reach this page)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          People and their cockamamie ISPs and their cockamamie setups. Lord help me.

          What does pfSense think its WAN1 address is?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            brechtb
            last edited by

            I did like you asked me, I set the interface on LAN in the packet capture, now it shows this:

            12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
            12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
            12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
            12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
            12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
            12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0

            1 Reply Last reply Reply Quote 0
            • B
              brechtb
              last edited by

              @Derelict:

              People and their cockamamie ISPs and their cockamamie setups. Lord help me.

              What does pfSense think its WAN1 address is?

              See attachment

              Capture2.PNG
              Capture2.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  brechtb
                  last edited by

                  @Derelict:

                  I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.

                  Ok, thanks anyway, the only thing I didn't say is that I have a Multiwan setup (loadbalancing + failover wan1 + failover wan2)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    In your drawing you show "modem" with port forwards enabled??  But then you show pfsense with public IPs on its wan..  That makes NO sense..

                    So your outside and trying to go to your wan1 IP 91.179.143.196.5050

                    And you want this 5050 to be forwarded too 192.168.1.2 that is what you show in your port forwards..

                    When then why do you show this traffic on your lan from some other box?

                    12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
                    12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0

                    What is this 192.168.1.36 machine?  He is trying to access your public wan IP from inside your network, so you want nat reflection to work??  If you want box on your network to talk to 192.168.1.2 why do you not just talk to it directly vs going to your wan IP via I am guessing some dyndns fqdn that points to your wan??

                    The traffic your interested in would be coming from some public IP going to your 192.168.1.2 box that you say is not working.. Well sniff on your wan using this 192.168.1.2 as the host IP or the public IP your coming from in the packet capture filter so you don't see data that is not what your looking for.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      brechtb
                      last edited by

                      Yes the modem doesn't do anything anymore except for some routing, the PPPOE sessions are established on the pfSense router, not on the modem, so the public wan ip's are on pfsense.

                      I wanted to show that I can access it via LAN, so what I did was packet capture on lan, then I went to 192.168.1.3 (not 2, this was wrong) and these were the results I got…

                      12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
                      12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
                      12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
                      12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
                      12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
                      12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0

                      EDIT, did the same today and I got no packets, even though I can access the site via lan (192.168.1.3:5050), I see the site... So I guess that was some left over crap

                      If I do packet capture on WAN1 and go to my WAN1 public IP (91.179.143.196:5050) then I get these results, this was 10 min ago:

                      11:51:45.744238 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
                      11:51:46.755526 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
                      11:51:48.757056 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude how are you going to your public IP – from a Box inside your network our OUTSIDE.. If you want to test port forwarding you need to come from outside.  If your inside going to your wan IP that is a nat reflection for port forwarding to work, and is quite often a fail.

                        If you sniffed on your lan and were coming from outside and you see the traffic going to the IP and port you want IE 192.168.1.3.5050 and you don't get a return then box didn't answer you, or he sent it to a different gateway?

                        Have you gone through the port forwarding troubleshooting guide.  It really is 1 min to troubleshoot why a port forward might not work..  What I can tell you in all the time I have been here, and all the posts about port forwarding is its always PEBKAC!!  Forwarding to wrong IP, firewall on the box your forwarding too.  Service not running or listening on the port being forwarded too.  Going to the wrong IP, pfsense behind a double nat, isp blocking the port from even getting to pfsense, etc. etc. etc..

                        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                        If you see traffic on your pfsense lan sending to where you want, and you don't see an answer either the box isn't listening on that port, your sending it to the wrong box??  Or the box sent the answer elsewhere..  None of which has anything to do with pfsense.. From that sniff you show it sending traffic to 192.168.1.3:5050 -- where is the response??  Since on 192.168.1.3 now does actually see the packets.. Maybe you have dupe IP issue and pfsense sent traffic to wrong mac?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • B
                          brechtb
                          last edited by

                          Holy crap, it works, I was testing from inside, not from the outside. I switched off wifi on my phone, went to the wan1 ip and TADA.

                          So indeed it was PEBKAC, I am turning red now. Well on my previous setup I could access the sites from inside too, so that's why I thought it would work also and never tought to try to access it from the outside.

                          No way to make it work so that I can access the sites from inside too? Anyway, I'm already glad I can access them from outside.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            dude I just did a scan on your IP.. And yeah its open to the outside

                            Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-25 05:19 Central Daylight Time
                            Nmap scan report for snipped-179-91.adsl-dyn.isp.belgacom.be (91.179.snipped)
                            Host is up (0.066s latency).
                            Not shown: 992 filtered ports

                            PORT    STATE  SERVICE
                            21/tcp  open  ftp
                            80/tcp  open  http
                            139/tcp  closed netbios-ssn
                            443/tcp  open  https
                            1433/tcp open  ms-sql-s
                            1723/tcp open  pptp
                            5050/tcp open  mmcc
                            8080/tcp open  http-proxy

                            Nmap done: 1 IP address (1 host up) scanned in 13.00 seconds

                            139 prob shows block because I block that outbound on purpose because of how stupid windows is ;)

                            Dude having so much open is not a good idea.. So just try and log in and hit this server all day long with the administrator password.  Your mssql is open to the public internet 1433..

                            Why do you have pptp open??  Just use openvpn to pfsense!! and then hit all your shit.. I can see having plex open 32400, but why all these other ports.. Its a BAD BAD BAD idea to open such services to the public net unless you know for sure what your doing..  And from this thread I would have to say that is not really the case.

                            As to stuff working from inside, go to the local IP or set up host overrides so your public fqdn resolve to your internal IPs when your internal.  Nat reflection is actually an abomination that should be avoided at all costs! ;)

                            Also might be good idea and edit/remove the stuff showing your public IP..

                            openscan.jpg_thumb
                            openscan.jpg

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • B
                              brechtb
                              last edited by

                              I'm not too worried, it's a home server with some movies and sql is for testing purposes, nothing is in production on my server and the data is not interesting. Also, my public ip is dynamic, I already changed it.

                              Thx anyway for your concern.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "I'm not too worried,"

                                Wow.. and this is why we have all the noise on the net in the first place..  If scanning for open stuff didn't return anything open then there wouldn't be any point of scanning.  Just like spam…  That 1 guy that responds/follows link they get in some junk email for every billion sent out is why they continue to send more and more of it..

                                Wonder how concerned you will be when they fill up your space because you have ftp server and they like to use it store their junk.  Or once they login into your box and install some crap and now it phones home and gives them access when ever they want no matter what your IP changes too and your part of their bot net doing ddos for anyone that will pay 10 cents a node.. And your pipe is full and can not use it, or your isp contacts because of it, etc. etc..  Or when all your files get encrypted and they want $500 to unencrypt them.  Or you wonder why your cpu is 100% all the time because its mining for bitcoin, etc.

                                I have nothing of interest, my IP changes -- well shit why you need a firewall at all then? ;)  Good luck.. Who wants to start a pool on how long it takes for his system gets owned?  If it isn't already ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • B
                                  brechtb
                                  last edited by

                                  I've been working 4 years as service desk, did server administration during that time, now I've been consultant web dev for another 5 years, I'm pretty sure I know that letting some ports open for test sites and a few basic applications isn't the end of the world. In what world do you live in where you think every pc connected to the web will be infected or hacked, chill man… If I see suspicious activity I will close them and find another solution, but these are just test sites to show the client the progress man, no worries. And yeah, on the second server I run couchpotato, plex etc. Don't think these Windows server 2012 r2 servers are not configured and fully unprotected.

                                  Anyway, let's just agree to disagree and leave it at that. I came here for a problem I tought was pfsense, or a faulty set up, but finally it was a mistake at my end...

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Hey dude its your box - leave all the ports open.. its no skin off my nose that is for sure.. Just trying to offer some advice is all.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.