CAn't surf to my own webserver (at DMZ) from LAN



  • Hi.

    My pfSense works very well, but.. I Can't surf to my own webserver from LAN or DMZ.

    How to set up a rule to make that possible ?

    My setup is:

    WAN = ext.IP
    LAN = 192.168.5.1, with PC at 192.168.5.7
    DMZ (OPT1) = 192.168.1.1, with webserver at 192.168.1.5

    Everything works fine I can go to all external webservers, but i Cant go to my own webserver, which is at my DMZ, neither from PC's at LAN or PC's/servers at DMZ.

    What is wrong ?

    Thanks in advance.

    //Ben





  • First off double check that your web server really has a valid address and ping your firewall from the server,

    ping 192.168.1.1

    Then add the following LAN firewall rule;

    Protocol - TCP | Source - LAN Net | Source Port - * (any) | Destination - DMZ Net (or web server IP) | Destination Port - 80 | Gateway - * (default)

    Hope this helps



  • Thanks, but nope, doesn't help.

    The webserver has been running for years and it has a valid adress. I can ping 192.168.1.1 (and also ping to 192.168.5.1 works) from the webserver.
    And it works fine to surf to the webserver from all external computers, coming thru the WAN-interface.

    Only LAN and DMZ doesn't work.

    So, anyone got more tips ?

    //Ben

    @cheesyboofs:

    First off double check that your web server really has a valid address and ping your firewall from the server,

    ping 192.168.1.1

    Then add the following LAN firewall rule;

    Protocol - TCP | Source - LAN Net | Source Port - * (any) | Destination - DMZ Net (or web server IP) | Destination Port - 80 | Gateway - * (default)

    Hope this helps



  • @tarzzz:

    …but i Cant go to my own webserver, which is at my DMZ, neither from PC's at LAN or PC's/servers at DMZ.

    If you cannot reach a machine on the same subnet (…or PCs/servers at DMZ) then look at subnets / netmasks etc.
    Your firewall isn't involved when a PC in the DMZ accesses a server in there as well...

    errr, how do you want to access your web server locally? By local IP (http://dmz-ip) or external name (http://myserver.dyndns.org)?



  • @jahonix:

    @tarzzz:

    …but i Cant go to my own webserver, which is at my DMZ, neither from PC's at LAN or PC's/servers at DMZ.

    If you cannot reach a machine on the same subnet (…or PCs/servers at DMZ) then look at subnets / netmasks etc.
    Your firewall isn't involved when a PC in the DMZ accesses a server in there as well...

    errr, how do you want to access your web server locally? By local IP (http://dmz-ip) or external name (http://myserver.dyndns.org)?

    Well I can "reach" the webserver at DMZ from LAN, for ex I can map networkdrives on the webserver, and Ping works, but not http.

    It doesn't matter if I can reach it by http://192.168.1.5 or http://external.domain.name, but neither of those work. But I can open it as a file from the web-browser, then it works from LAN, but every link on the webpage that points to the webserver then doesn't work.

    //Ben



  • but i Cant go to my own webserver, which is at my DMZ

    Well I can "reach" the webserver at DMZ from LAN

    Doesn't one contradict the other? My head is starting to hurt  :-\



  • @cheesyboofs:

    but i Cant go to my own webserver, which is at my DMZ

    Well I can "reach" the webserver at DMZ from LAN

    Doesn't one contradict the other? My head is starting to hurt  :-\

    Well, my head hurt as h-l. I have had a couple of "networkers" to look at it, they doesn't seem to solve the matter either.  :-\



  • If you cannot access your web server from the same subnet (DMZ) then there's something wrong with the netmask / DHCP / gateway / whatever.

    What networks and corresponding gateways and DNS servers did you define? Like 192.168.100.1/24 or /16 or … ?



  • If you can map drives then basic IP routing is working.  If you cannot access it from the DMZ then it rules out pfSense or routing as the problem.

    Your problem has to be somewhere on the web server host.  It could be a software firewall, or the configuration of the web server software.  Do you see connection attempts if you run tcpdump/wireshark/etc on the web server host?



  • @Cry:

    If you can map drives then basic IP routing is working.  If you cannot access it from the DMZ then it rules out pfSense or routing as the problem.

    Your problem has to be somewhere on the web server host.  It could be a software firewall, or the configuration of the web server software.  Do you see connection attempts if you run tcpdump/wireshark/etc on the web server host?

    I reinstalled the whole webserver, didn't help. Then I throw in an old D-Link 604 FW/router instead of pfSense, then everything works fine.

    So, I gave pfSense up. Probably I need a firewall-class to learn more before using pfSense

    I'll buy a GOOD FW/router instead of the 604.

    Thanks for your answers !

    //Ben



  • So, I gave pfSense up. Probably I need a firewall-class to learn more before using pfSense

    Its a real shame because that is the perfect opportunity to learn something and a  great sense of achievement when you figure it out.



  • @cheesyboofs:

    So, I gave pfSense up. Probably I need a firewall-class to learn more before using pfSense

    Its a real shame because that is the perfect opportunity to learn something and a  great sense of achievement when you figure it out.

    Yes, it's a shame, but I've put down many hours on the matter, and I did learn a lot. I'll come back to pf Sense later.

    //Ben


Log in to reply