Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue connecting to server behind firewall from outside (SOLVED!)

    NAT
    3
    13
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      radiowave911
      last edited by

      I am having an issue that I am not sure where it belongs.  Our icecast stream server is inaccessible from the internet following a rebuild of the firewall and a restoration of the configuration.

      I have a setup with multiple networks internally - let's call them A, B, C, and D.  I also have a small block of public IP addresses from our ISP.  One of these is assigned to the WAN interface.  Another is set up in DNS (externally hosted) as the address of our stream.  The stream server lives on subnet B.  I have a 1:1 NAT set up for the stream server public IP to it's internal IP.  I have a WAN rule allowing traffic to the stream server's public IP on port 8000 (the streaming media port for my Icecast server).  I have a rule in subnet B allowing traffic from anywhere to the stream server's address on subnet B.

      I can reach the stream server from internal networks (A, B, C, D, etc.).  The stream server can reach hosts on internal networks as well.  I cannot reach the stream server from the internet nor can I reach the internet from the stream server.  I can ping the WAN IP address but cannot ping anythign beyond that IP, such as the WAN upstream gateway address.

      I see no entries in the firewall logs, I am logging on almost all pass rules and am logging all block rules.  The only entries I see for the stream server are connections from the stream encoders (located on network A).  I am seeing no blocked entries at all for the stream server.

      Suggestions on where to look next are most welcomed.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Post screens of your NATs and firewall rules with any public IPs obscured.  Have you gone through this list?

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        Is it possible that your stream servers network config is funky?  Assuming you've added an Allow All for Any rule on Subnet B, the stream server should be able to hit everything.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I have a WAN rule allowing traffic to the stream server's public IP on port 8000 (the streaming media port for my Icecast server)

          Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R
            radiowave911
            last edited by

            Here are the images:

            NAT Configuration:

            Orange (Network B) Firewall rule:

            WAN Firewall rule:

            I did look at the port forward troubleshooting, I had already done some of those steps.  There is a temporary any any rule on subnet B, and it can hit anything.

            Since posting, I did tear out the rules and NAT configuration and re-added them, this made one minor difference - I can now ping the WAN upstream gateway, however I cannot ping outside my networks - for example to Google.com.  THe name resolves, but I get no responses.  Still nothing in the firewall logs.

            1 Reply Last reply Reply Quote 0
            • R
              radiowave911
              last edited by

              @Derelict:

              Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.

              I modified the WAN rule with no change.  Still can't get to the internet from the stream server nor can I reach the stream server from the internet.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Then you have more wrong.

                Can you ping outside addresses if you choose the outside VIP you are 1:1 natting as the source address?

                Post up the screen shots. 1:1 NAT, firewall rules on both outside and inside addresses.

                Be sure the inside host has pfSense as its gateway.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24?  You have it obscured as if it were public.

                  1 Reply Last reply Reply Quote 0
                  • R
                    radiowave911
                    last edited by

                    I cannot ping outside addresses from the VIP.

                    I posted the images of the 1:1 NAT, WAN and ORANGE (network B) rules above.

                    To add to the weirdness - if I disable the static DHCP mapping, and allow the server to obtain an address on the ORANGE subnet, I can get outside just fine.  It almost seems as though this specific IP address is being blocked somewhere.

                    That part of all this that has be bothered is that it was working fine up until the hardware issues that caused me to replace the old box.  I exported the configuration from the old box then restored it to the new box.  All I had to change was fix the interface mapping as the names changed (I.E. from bge0 to em1 for the LAN side).  The only thing failing is the NAT for this specific box.

                    Would maybe trying a different address altogether be something to try?  I have one more public address that is unused.

                    1 Reply Last reply Reply Quote 0
                    • R
                      radiowave911
                      last edited by

                      @KOM:

                      Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24?  You have it obscured as if it were public.

                      When I took the screenshot it was public.  It is now the 192.168.92.24 address, no change in behavior.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I cannot ping outside addresses from the VIP.

                        Then you need to troubleshoot that.

                        There is not a lot involved there from the firewall's perspective. It sends the echo request to the ISP and waits for a reply.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • R
                          radiowave911
                          last edited by

                          I'm getting further.  I went ahead and changed the addresses - used a new external address and a new internal address.  I can now get to internet hosts from the server box, still cannot reach the server from the internet.  Ping works from the new VIP address.

                          Derelict gave me something to think about though.  I am going to reboot the router from our ISP.  I am wondering if it has something cached with relation to the old VIP address….

                          1 Reply Last reply Reply Quote 0
                          • R
                            radiowave911
                            last edited by

                            SOLVED!

                            First, thanks for the help and suggestions.

                            It looks like the Comcast router was not passing the traffic to the firewall in the first place.  A reboot of the Comcast router later and I can get to the stream server from outside again.

                            Now to clean up the extra rules I added and update the station's website to show the streams again.

                            Thanks again for the help and suggestions.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Glad you got it working.

                              (Gee, ISP router/modem problem. Who'da thunk it?)

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.