Can't access NATed Server from one external IP
-
Hi All,
This is my first post on this forum, I am a newbie to pfsense. I have replaced my iptables firewall with pfsense, in my setup I have one LAN and one WAN interface only. The machines needed public access is added with 1:1 nat with the public IPs added as virtual IP addresses on the WAN interface.
Everything is working as expected, but not working from one external client machine. Means everybody able to access the server which is added with 1:1 nat from outside internet, but its not working from one public IP machines which is located in another country.In the packet trace I am able to see the traffic hitting the firewall on correct port, but its not passing through the firewall.
Can anybody help me to get fix this issue.
Thanks in advance.
Premod
-
Do you see any entry in the firewall-log?
Is another computer from the same public subnet able to access it?
-
Interesting thing is I am able to login from the server to the public machine which cannot access my server. Also I can see the packets hitting on my firewall on correct port, but its not crossing the firewall. In GUI logs, I am not able to find anything helpful. How can I access the logs through cli, means the name & location of the log files.
Thanks,
Premod
-
This is what I am seeing in the filter.log file,
Aug 27 16:31:32 myfw pf: 815342 rule 56/0(match): block in on vr0: (tos 0x10, ttl 48, id 8457, offset 0, flags [DF], proto TCP (6), length 60) 17.1xx.1xx.94.49269 > 10.1xx.x1.17.22: S, cksum 0x4be7 (correct), 3233901315:3233901315(0) win 5840 <mss 2="" 232413099="" 1460,sackok,timestamp="" 0,nop,wscale="">vr0 is my external (WAN) interface and I don't have a blocking rule which I have made through web GUI. How do I find the rules through cli commands, as it is telling the rule 56/0 blocking the traffic.
Thanks in advance.
Premod</mss>
-
Status –> System Log --> Firewall
Click in the gui on the color-thingy on the left side and it will tell you which rule blocked it.If you didn't create any rules at all, everything will be blocked.
(default behaviour is: block everything).You can see the created rules under:
address_of_your_pfsense/status.php#pfctl%20-s%20rules%20-vv
-
Thanks, this is what I am seeing when clicking in the colored thing,
@56 block drop in log quick on vr0 from bogons:50to any label "block bogon networks from wan"
What its mean? Seems an auto generated rule.
Thanks,
Premod</bogons:50>
-
Bogon networks are IP-block which are not yet assigned and thus should never appear at your WAN.
You can disable this rule on the WAN-config-page.It could be that this IP-block has just recently been assigned.
pfSense should update it's list of bogon networks periodically be itself.These threads should help you to update the list manually:
http://forum.pfsense.org/index.php/topic,15650.0.html
–> http://forum.pfsense.org/index.php/topic,13278.0.html
-
Thanks, GruensFroeschli
I have disabled the firewall rule and it's just working fine.
Thanks,
Premod
-
Well i wouldn't just disable the rule ^^"
It's there for a reason ;)Have you tried dotdashs suggestion?
I copied /etc/rc.update_bogons.sh to a temporary script, removed the sleep and ran it.
-
As for a temporary fix, I have manually removed the network which blocked for me. And as per the other posts I have checked my crontab file and the xml file also. Both the files having entries as follows,
###/etc/crontab####
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
####config.xml#####
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh######################################################
But update is not happening I am sure. I tried run the script manually, but didn't see anything happening on it. How can I make it run automatically?
Thanks,
Premod
-
Update happens once per month. What makes you think it does not?
