Issue connecting to server behind firewall from outside (SOLVED!)
-
I am having an issue that I am not sure where it belongs. Our icecast stream server is inaccessible from the internet following a rebuild of the firewall and a restoration of the configuration.
I have a setup with multiple networks internally - let's call them A, B, C, and D. I also have a small block of public IP addresses from our ISP. One of these is assigned to the WAN interface. Another is set up in DNS (externally hosted) as the address of our stream. The stream server lives on subnet B. I have a 1:1 NAT set up for the stream server public IP to it's internal IP. I have a WAN rule allowing traffic to the stream server's public IP on port 8000 (the streaming media port for my Icecast server). I have a rule in subnet B allowing traffic from anywhere to the stream server's address on subnet B.
I can reach the stream server from internal networks (A, B, C, D, etc.). The stream server can reach hosts on internal networks as well. I cannot reach the stream server from the internet nor can I reach the internet from the stream server. I can ping the WAN IP address but cannot ping anythign beyond that IP, such as the WAN upstream gateway address.
I see no entries in the firewall logs, I am logging on almost all pass rules and am logging all block rules. The only entries I see for the stream server are connections from the stream encoders (located on network A). I am seeing no blocked entries at all for the stream server.
Suggestions on where to look next are most welcomed.
-
Post screens of your NATs and firewall rules with any public IPs obscured. Have you gone through this list?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Is it possible that your stream servers network config is funky? Assuming you've added an Allow All for Any rule on Subnet B, the stream server should be able to hit everything.
-
I have a WAN rule allowing traffic to the stream server's public IP on port 8000 (the streaming media port for my Icecast server)
Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.
-
Here are the images:
NAT Configuration:
Orange (Network B) Firewall rule:
WAN Firewall rule:
I did look at the port forward troubleshooting, I had already done some of those steps. There is a temporary any any rule on subnet B, and it can hit anything.
Since posting, I did tear out the rules and NAT configuration and re-added them, this made one minor difference - I can now ping the WAN upstream gateway, however I cannot ping outside my networks - for example to Google.com. THe name resolves, but I get no responses. Still nothing in the firewall logs.
-
Firewall rules are checked after NAT. That has to be the inside (Post-NAT) address and port.
I modified the WAN rule with no change. Still can't get to the internet from the stream server nor can I reach the stream server from the internet.
-
Then you have more wrong.
Can you ping outside addresses if you choose the outside VIP you are 1:1 natting as the source address?
Post up the screen shots. 1:1 NAT, firewall rules on both outside and inside addresses.
Be sure the inside host has pfSense as its gateway.
-
Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24? You have it obscured as if it were public.
-
I cannot ping outside addresses from the VIP.
I posted the images of the 1:1 NAT, WAN and ORANGE (network B) rules above.
To add to the weirdness - if I disable the static DHCP mapping, and allow the server to obtain an address on the ORANGE subnet, I can get outside just fine. It almost seems as though this specific IP address is being blocked somewhere.
That part of all this that has be bothered is that it was working fine up until the hardware issues that caused me to replace the old box. I exported the configuration from the old box then restored it to the new box. All I had to change was fix the interface mapping as the names changed (I.E. from bge0 to em1 for the LAN side). The only thing failing is the NAT for this specific box.
Would maybe trying a different address altogether be something to try? I have one more public address that is unused.
-
@KOM:
Unless I'm mistaken, on your WAN rule, shouldn't the Destination be the post-NAT address, ie 192.168.92.24? You have it obscured as if it were public.
When I took the screenshot it was public. It is now the 192.168.92.24 address, no change in behavior.
-
I cannot ping outside addresses from the VIP.
Then you need to troubleshoot that.
There is not a lot involved there from the firewall's perspective. It sends the echo request to the ISP and waits for a reply.
-
I'm getting further. I went ahead and changed the addresses - used a new external address and a new internal address. I can now get to internet hosts from the server box, still cannot reach the server from the internet. Ping works from the new VIP address.
Derelict gave me something to think about though. I am going to reboot the router from our ISP. I am wondering if it has something cached with relation to the old VIP address….
-
SOLVED!
First, thanks for the help and suggestions.
It looks like the Comcast router was not passing the traffic to the firewall in the first place. A reboot of the Comcast router later and I can get to the stream server from outside again.
Now to clean up the extra rules I added and update the station's website to show the streams again.
Thanks again for the help and suggestions.
-
Glad you got it working.
(Gee, ISP router/modem problem. Who'da thunk it?)
