ping works fine in both directions but http / ssh from remote to intern fails

rprengel

Hallo,
I installed my first pfsense setup with wireguard.

Home 192.168.2.0 -- Fritzbox --- Wirgeuard --- pfsense - Hoster Hetzner 192.168.22.0

My problem
ping from home to systems in 192.168.22.0 is working
access to servers from home using http / ssh in 192.168.22.0 is working

ping from remote hetzner to systems in 192.168.2.0 is working
access using http or ssh from 192.168.22.0 to 192.168.2.0 is !!! NOT !!! working.

I ve no idea where to search.
All hints are welcome.
Thanks

Ralf

viragomann

@rprengel
I'd suspect, that the access is blocked somewhere at home site, either on the Fritzbox or on the destination device.

If you're unsure, what the reason is, you can sniff the traffic on the home site to investigate.

rprengel

@viragomann said in ping works fine in both directions but http / ssh from remote to intern fails:

@rprengel
I'd suspect, that the access is blocked somewhere at home site, either on the Fritzbox or on the destination device.

If you're unsure, what the reason is, you can sniff the traffic on the home site to investigate.

@viragomann said in ping works fine in both directions but http / ssh from remote to intern fails:

@rprengel
I'd suspect, that the access is blocked somewhere at home site, either on the Fritzbox or on the destination device.

If you're unsure, what the reason is, you can sniff the traffic on the home site to investigate.

Hallo,
thanks for the answer.
No obvious blocker / filter /firewlls are active.
I found a youtube video with some hints that a NAT may be necessary on the pfsene because of the fritzbox allthough ping is working.
Ralf

viragomann

@rprengel said in ping works fine in both directions but http / ssh from remote to intern fails:

No obvious blocker / filter /firewlls are active.

I was expecting this view. That's why I suggested to sniff the traffic to see, what's going on in fact.

I found a youtube video with some hints that a NAT may be necessary on the pfsene because of the fritzbox allthough ping is working.

Yes, NAT is a hack to circumvent firewall restrictions. But it's rather recommended to configure the firewalls properly instead of doing hacks.
It's a workaround to enable access to devices from outside, which have no default gateway setting.

rprengel

@viragomann said in ping works fine in both directions but http / ssh from remote to intern fails:

@rprengel said in ping works fine in both directions but http / ssh from remote to intern fails:

No obvious blocker / filter /firewlls are active.

I was expecting this view. That's why I suggested to sniff the traffic to see, what's going on in fact.

I found a youtube video with some hints that a NAT may be necessary on the pfsene because of the fritzbox allthough ping is working.

Yes, NAT is a hack to circumvent firewall restrictions. But it's rather recommended to configure the firewalls properly instead of doing hacks.
It's a workaround to enable access to devices from outside, which have no default gateway setting.

Hallo,
thanks for the hints.
I will try to analyse what goes wrong.
Unfortunately is the Fritzbox Router (defacto Standard in Germany) a closed system with less options to configure advanced parameters.
Because of this problems I will install a second pfsense later this year to replace the firewall/ wireguard part of the Fritzbox.
Ralf

rprengel

@viragomann said in ping works fine in both directions but http / ssh from remote to intern fails:

@rprengel said in ping works fine in both directions but http / ssh from remote to intern fails:

No obvious blocker / filter /firewlls are active.

I was expecting this view. That's why I suggested to sniff the traffic to see, what's going on in fact.

I found a youtube video with some hints that a NAT may be necessary on the pfsene because of the fritzbox allthough ping is working.

Yes, NAT is a hack to circumvent firewall restrictions. But it's rather recommended to configure the firewalls properly instead of doing hacks.
It's a workaround to enable access to devices from outside, which have no default gateway setting.

Hallo,
found the problem but not solved.
I can reach system from „outside“ using ssh on port 22 and http using non default ports.
I tested the last days only trying to reach a default webserver.
It looks like ports 80 and 443 are the problem. Maybe the anti-lockout rule?
Ralf

rprengel

@rprengel said in ping works fine in both directions but http / ssh from remote to intern fails:

@viragomann said in ping works fine in both directions but http / ssh from remote to intern fails:

@rprengel said in ping works fine in both directions but http / ssh from remote to intern fails:

No obvious blocker / filter /firewlls are active.

I was expecting this view. That's why I suggested to sniff the traffic to see, what's going on in fact.

I found a youtube video with some hints that a NAT may be necessary on the pfsene because of the fritzbox allthough ping is working.

Yes, NAT is a hack to circumvent firewall restrictions. But it's rather recommended to configure the firewalls properly instead of doing hacks.
It's a workaround to enable access to devices from outside, which have no default gateway setting.

Hallo,
found the problem but not solved.
I can reach system from „outside“ using ssh on port 22 and http using non default ports.
I tested the last days only trying to reach a default webserver.
It looks like ports 80 and 443 are the problem. Maybe the anti-lockout rule?
Ralf

Now solved:
After I realized that ssh from outside worked too I tried another webserver. This one worked immediately.
The first web-target was the interface of a printer that obviously didn t deliver its contect in external lans.
Ralf