Can't reach own server (HTTP) from outside the network
-
Hi,
I just set up pfSense and everything works, NAT etc, only one thing doesn't work. I can't seem to be able to connect to my websites running on my server from WAN.
I set up portforwarding, but to no avail.
I can't insert images but I have them attached, so there is a screenshot of NAT and Firewall rules.
Do I need to set up something else than port forwards?
-
Why do you have a source port (80) set?
You had to click Advanced and then ignore this:
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.
-
Why do you have a source port (80) set?
You had to click Advanced and then ignore this:
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.
The source port is only for LAN address, this was the default rule that was added so you could not be locked out from the web interface, I highly doubt that is the problem, because all the other websites don't work either (5050, 6060, 8080 etc)
-
Oh you're right. Source port is still not correct in that case.
You must have another device in front of WAN1 then or it would be working.
Use this checklist:
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
Fuck, I removed the source port on the 80 lan address like you said, off course I cannot log in in the web interface anymore.
How do I set that port back via the shell? I'm really a noob, and never really worked with the shell.
edit good thing I have enabled SSH, so I can get into that…
-
Source port is generally meaningless. HTTP connections are never sourced on port 80.
-
Ok, can you please tell me how to set the source port back to 80 for that LAN address, so I can access the webconfigurator again, as I told you, this was the default setting that pfSense put there so that you can not be locked out from the webconfigurator.
I looked on google but cannot find an answer immediately…
edit I restored a previous backup, so I can access the webconfigurator again
-
Use console option 15 and restore the config from before you made the change.
You have something configured in a decidedly unorthodox fashion if that made any sort of difference.
-
Ok, I used option 15, and I got my previous setup back, let's ignore port 80 for now, and focus on port 5050 for example.
I changed one port to the following in the attachment, but it doesn't work either.
edit by the way, port forward 32400 (PLEX) works, I can access Plex from outside, just not the websites I have running on my server
-
Dude. Did you go through the checklist here?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
That covers about every possible thing that could keep your port forward from working.
You are getting pretty clicky-clicky. There is no reason to dork with NAT reflection when testing from outside. There is no reason to change the associated filter rule from Create associated rule to Pass. This stuff really does work. If you do the basics and it does not work it is probably something in the troubleshooting checklist posted earlier.
-
Dude. Did you go through the checklist here?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
That covers about every possible thing that could keep your port forward from working.
Yes dude, I checked the checklist here, client allows port 5050 in the firewall, client has default gateway address pointing to the pfsense router, ISP doesn't block it (it worked with my previous router), there's a router before pfsense too (my modem) and there the port forwards are also set (I left it like it was with my previous setup that worked), I have no virtual IP, that may be the problem maybe? The WAN connection is set as the default gateway. I can access the website through LAN. WAN rules don't have a gateway set.
Really, I checked it and it seems to be configured correctly, I just followed the guide on portforwards in pfSense and did exactly like the guide said.
I understand that you might be a bit frustrated because you might think that I'm not listening to you, but I am, I want this problem to be solved too and I'm doing all the suggestions you give me, thanks BTW.
At first I though it might be a DNS problem, but when I try connect to the website via IP address it also doesn't work.
-
My problem is if you had done all that it would be working.
Guess packet captures of connection attempts on all the pertinent interfaces are in order.
Anything interesting in the firewall logs filtered on port 5050?
-
I cleared the log file in Status > System Logs > Firewall > Normal View, then I browsed to the website on port 5050 (WAN1) and there I no entry in the logfile for that port.
I attached screenshot of a part of the log file.
If the firewall doesn't block it, does that mean that the portforward is correctly configured and that it is another problem?
Sorry, i didn't filter it, but i attached a filtered view, no entries….
-
Or it means the traffic is not arriving on WAN1 in the first place. I would packet capture on port 5050 on WAN1, attempt again, and see what it shows.
-
Yes, you are right, no packets are captured on port 5050,
So it is a problem with something else…
Attached is how my setup is configured
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
It must be in the upstream device. Have to look there. pfSense can't do anything with packets it doesn't receive.
-
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
If 109.134.116.205 is not WAN1 address your port forwards won't match.
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
By old IP address I mean, I got this IP 109.134.116.205 on WAN1 (PPPOE), the I rebooted pfSense and I got the 81.240.101.105 as public IP, so why is there an previous IP in the packet capture
edit,
Ok so I went to http://81.240.101.105:5050/ and now I get this:
11:52:55.236104 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:56.242128 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:58.255926 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:53:04.169001 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:05.177315 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:07.177541 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0But the 192.168.1.2.5050 should be 192.168.1.3:5050
That was the old config (resetted the backup) TIME FOR A REBOOT
-
So if you think packets are arriving on WAN1 properly, then the next step is to capture on whatever interface is connected to 192.168.1.2, filtered on port 5050, attempt again, and see what it shows.
