Cant access http on specific site, dont understand why.



  • I have a problem. From within my firewall bridge, i can't access http on a specific IP (www.hitta.se, 195.149.150.163).
    I can ping the ip from a computer behind the firewall, but all connections to port 80 just times out. If telnet to port 80 from a shell on the firewall itself i get a http reply.

    I have no rules that blocks that specific ip and i can browse other sites normally. What is going on?

    Any hints how i can find whats causing this?





  • Interesting.. Seems to have something to do with the netmask. I temporary get access to the site when changing netmask (to /24), but then in a couple of seconds it stops working again.. And equal when i change back to /25.

    My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

    Im not 100% sure what netmask to use, maybe someone can help me.. My setup as follows:

    WAN-GW (bridge) using xx.xx.38.193/25 on WAN and xx.xx.38.194/25 on LAN
    LAN-GW (NAT-firewall behind the WAN-GW) using xx.xx.38.195/25 on WAN and 192.168.10.1/24 on LAN.

    Is this all wrong ?  ???


  • Banned

    Nope…...use /28 instead if it's a Class C network.



  • My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

    xx.xx.38.0/25 is
    xx.xx.38.0 to xx.xx.38.127

    If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

    From what you describe about the IPs you have a bridge.
    But then you say you have an IP on the LAN as gateway?
    Either a bridge, or a NAT-device. Not both.

    What is the gateway of your NAT-router behind the pfSense? The bridge IP .38.194 ? This would be wrong.

    Also you shouldn't assign a global IP out of your range to the bridge itself.
    The idea behind running the as a bridge is that you dont have a point of attack.
    –> The router doesn't have an IP which is reachable.
    The only IP you should have on the bridge is a private one from a separate management interface.
    If not that then just a different IP-range on the LAN side.
    (A plus point of this is, that you dont waste two public IPs ;) )

    But imo this has all nothing to do with your problem of not being able to access the IP in your first post.



  • @GruensFroeschli:

    My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

    xx.xx.38.0/25 is
    xx.xx.38.0 to xx.xx.38.127

    If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

    Yes. 193-217 is correct. But what value to choose in the pfsense dropmenu at the WAN/LAN interface? There is 1-32, what would 128/25 correspond to? (28 as Supermule says?)

    I have to check the setup of the bridge later then, as the setup is configured now, there are 2 pfsense-boxes, WAN-GW(bridge) and LAN-GW(NAT).. I followed a guide when configuring the WAN-GW it, where ip's where assigned like that :)



  • 128/25 would correspond to x.128 - 255
    /24 means you have blocks of 256 IPs
    /25 are blocks 128 IPs
    /28 are blocks of 16 IPs
    i dont think you have a /28, since .193 - .217 are already more than 16 IPs.

    Unless you can tell us what gateway your ISP gave you, there's not much a point in speculating about the correct subnet.



  • My gateway from the ISP is xx.xx.38.129



  • Ok, then your subnet is /25

    What i would do:
    Set the WAN IP of your bridge device to a private IP (172.17.0.1/24)
    Set the LAN IP of the brdige device to a private IP (172.17.0.2/24)

    Set the WAN IP of the NAT device to x.193/25
    Use whatever IPs are left for wherever they are supposed to be.



  • Ok, thanks!

    Work is done for today but i will try this later!



  • Iv'e done some testing now but i cant get it to work. (I'm probably stupid  :) )

    I set up a lab like this.

    test-router(xx.xx.38.129) <-> pfsense-bridge(WAN 172.17.0.3/24 (gw: xx.xx.38.129) , LAN 172.17.0.4/24) <-> test-client (xx.xx.38.200/255.255.255.128)

    In the example above i get no connectivity between test-client and test-router. However, if i change the ip of the test-router to 172.17.0.1 and the test-client to 172.17.0.10 i can ping the test-router from the test-client. Seems like it will not forward traffic over the bridge if its a different network?



  • Did you modify the firewall rules on the LAN interface?
    I assume you connected another computer with a private IP to be able to manage the pfSense.

    The default rule on the firewall only allows traffic from the 172.17.0.0/24 subnet.
    You also need to create a firewall rule allowing traffic from the x.x.38.128/25 subnet.

    Did you also make sure that the test-client has as gateway the test-router?



  • Perfect! The rules was the problem, i tried fiddling with them earlier but i guess i got something wrong. Now its working! Thanks! Gonna reconfigure and change the live firewall later and see if it takes care of the original problem with the unreachable host.


Log in to reply