Outgoing to 8443
-
hi, I have a really anomalous problem because all the PC that are behind pfsense cannot access this address:
https: //x.y.z.j: 8443
I have tried with various versions up to 2.5 on different networks but in all cases this web page cannot be accessed, in pfsense there are no output limitations.
it really is an inexplicable situation.
Thanks. -
@sasa1 well that isn't a valid address so no you wouldn't be able to access it ;)
-
@johnpoz the real IP is:
93.42.6.126in capture I see:
23:02:07.916048 IP 109.205.x.y.53654 > 93.42.6.126.8443: tcp 0
23:02:07.918614 IP 109.205.x.y.49457 > 93.42.6.126.8443: tcp 0
23:02:08.166696 IP 109.205.x.y.52451 > 93.42.6.126.8443: tcp 0
23:02:10.916892 IP 109.205.x.y.53654 > 93.42.6.126.8443: tcp 0
23:02:10.917859 IP 109.205.x.y.49457 > 93.42.6.126.8443: tcp 0 -
@sasa1 Well your sending to it, if you can not get there, or you do not get an answer.
I take it that is your wan IP that 109.205.x.x and you sniffing on your wan.
Maybe they are blocking you, maybe your isp is having a peering problem. Maybe site not listening on 8443 like you think they are.
I can not ping it or open it on any ports 80, 443 or that port either. You sure you have the right IP?
Is that some IP you setup on some device with this company?
netname: FASTWEB-POP-INTERNET_SINGOLO descr: Infrastructure for Fastwebs main location descr: IP addresses for Enterprise Customer, public subnet
That is who I show owning that IP. What is odd is I show it in a tracert, but some sort of loop or something, since it should end when get to the IP and it keeps going.
$ tracert -d 93.42.6.126 Tracing route to 93.42.6.126 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.9.253 2 10 ms 10 ms 9 ms 69.47.60.1 3 9 ms 9 ms 11 ms 10.52.33.194 4 13 ms 12 ms 12 ms 76.73.164.154 5 13 ms 12 ms 13 ms 75.76.101.196 6 13 ms 12 ms 13 ms 76.73.191.232 7 29 ms 14 ms 15 ms 76.74.56.233 8 114 ms 120 ms 115 ms 141.136.111.174 9 * * * Request timed out. 10 121 ms 120 ms 122 ms 138.187.129.106 11 * * * Request timed out. 12 * * * Request timed out. 13 * * * Request timed out. 14 138 ms 145 ms 135 ms 93.42.6.126 15 * * * Request timed out. 16 * * * Request timed out.
See hop 14..
But your issue sure isn't your local pfsense.. Since you see the traffic being sent.. Nothing pfsense can do if no answer.
-
@johnpoz actually there was a block related to the public IP address of origin, the remote vpn manager has removed this block and now you can access the web page without problems.
Unfortunately, however, there is a problem with this PC that is behind pfsense, in practice after it has connected to the remote vpn it can no longer access this server from the outside, through a NAT.
I checked and the private IP that is assigned by the remote vpn is on a different class than the one assigned to the server locally.
After establishing the vpn connection, the default gateway is changed and consequently the pc no longer passes through the pfsense gateway
if the server doesn't switch to pfsense then everything works.
Thanks. -
@sasa1 well I can still not get to it..
As to some pc behind pfsense doing vpn - what does that have to do with pfsense. Just like this didn't have anything to do with pfsense..
-
@sasa1 said in Outgoing to 8443:
after it has connected to the remote vpn it can no longer access this server from the outside, through a NAT.
What server exactly?
Does that mean it can still access it via the VPN using an internal address?
But, yeah, pfSense would not be doing anything there. If the client sends all of it's traffic over a VPN pfSense only sees the VPN.
Steve
-
Hi,
the problem is that after connecting in VPN my server "loses" the gateway that refers to pfsense and consequently the NAT (which I did to access the server from the outside) no longer works. -
Oh, you mean like NAT reflection?
So what happens when you try to connect to it with the VPN active?
-
@sasa1 it happens that the PC (behind pfsense) uses as gateway the IP address assigned to it by the remote vpn server
but with pfSense is there the possibility of doing a site-to-site vpn (which is not with IPSec) to make sure that my network (the one behind pfsense) and the remote one are in communication?
Thanks -
@stephenw10 if on my pfsense I make a vpn with the L2TP server can I make sure that the remote client accesses my server that is in the l2tp vpn?
thanks -
It's possible to use L2TP over IPSec but it's generally preferable to use either IPSec directly or OpenVPN.
I'm still not 100% sure what the actual issue is here. Directly connected subnets should still be available to a VPN client. If not then change the client or server settings so it isn't routing all traffic over the VPN.
Steve
-
@stephenw10 if in pfsene I configure a l2tp vpn server can this vpn be bi-directional?
ie my PC behind pfsense (l2tp server) can access the remote network and at the same time the remote l2tp client can access my pc?
thanks. -
l2tp/ipsec is mostly used for client-to-site type setups so would probably not be suitable. You would want to use a site-to-site VPN like IPSec or OpenVPN.
Can you give us a diagram of what you need to achieve?
Steve
-
@stephenw10 Isn't an VPN Openswan-based also client-to-site?
or with openswan you can also make a site-to-site vpn?
Thanks. -
OpenVPN can be configured as either.