Cant access http on specific site, dont understand why.
-
I have a problem. From within my firewall bridge, i can't access http on a specific IP (www.hitta.se, 195.149.150.163).
I can ping the ip from a computer behind the firewall, but all connections to port 80 just times out. If telnet to port 80 from a shell on the firewall itself i get a http reply.I have no rules that blocks that specific ip and i can browse other sites normally. What is going on?
Any hints how i can find whats causing this?
-
-
Interesting.. Seems to have something to do with the netmask. I temporary get access to the site when changing netmask (to /24), but then in a couple of seconds it stops working again.. And equal when i change back to /25.
My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?
Im not 100% sure what netmask to use, maybe someone can help me.. My setup as follows:
WAN-GW (bridge) using xx.xx.38.193/25 on WAN and xx.xx.38.194/25 on LAN
LAN-GW (NAT-firewall behind the WAN-GW) using xx.xx.38.195/25 on WAN and 192.168.10.1/24 on LAN.Is this all wrong ? ???
-
Nope…...use /28 instead if it's a Class C network.
-
My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?
xx.xx.38.0/25 is
xx.xx.38.0 to xx.xx.38.127If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.
From what you describe about the IPs you have a bridge.
But then you say you have an IP on the LAN as gateway?
Either a bridge, or a NAT-device. Not both.What is the gateway of your NAT-router behind the pfSense? The bridge IP .38.194 ? This would be wrong.
Also you shouldn't assign a global IP out of your range to the bridge itself.
The idea behind running the as a bridge is that you dont have a point of attack.
–> The router doesn't have an IP which is reachable.
The only IP you should have on the bridge is a private one from a separate management interface.
If not that then just a different IP-range on the LAN side.
(A plus point of this is, that you dont waste two public IPs ;) )But imo this has all nothing to do with your problem of not being able to access the IP in your first post.
-
My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?
xx.xx.38.0/25 is
xx.xx.38.0 to xx.xx.38.127If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.
Yes. 193-217 is correct. But what value to choose in the pfsense dropmenu at the WAN/LAN interface? There is 1-32, what would 128/25 correspond to? (28 as Supermule says?)
I have to check the setup of the bridge later then, as the setup is configured now, there are 2 pfsense-boxes, WAN-GW(bridge) and LAN-GW(NAT).. I followed a guide when configuring the WAN-GW it, where ip's where assigned like that :)
-
128/25 would correspond to x.128 - 255
/24 means you have blocks of 256 IPs
/25 are blocks 128 IPs
/28 are blocks of 16 IPs
i dont think you have a /28, since .193 - .217 are already more than 16 IPs.Unless you can tell us what gateway your ISP gave you, there's not much a point in speculating about the correct subnet.
-
My gateway from the ISP is xx.xx.38.129
-
Ok, then your subnet is /25
What i would do:
Set the WAN IP of your bridge device to a private IP (172.17.0.1/24)
Set the LAN IP of the brdige device to a private IP (172.17.0.2/24)Set the WAN IP of the NAT device to x.193/25
Use whatever IPs are left for wherever they are supposed to be.
-
Ok, thanks!
Work is done for today but i will try this later!
-
Iv'e done some testing now but i cant get it to work. (I'm probably stupid :) )
I set up a lab like this.
test-router(xx.xx.38.129) <-> pfsense-bridge(WAN 172.17.0.3/24 (gw: xx.xx.38.129) , LAN 172.17.0.4/24) <-> test-client (xx.xx.38.200/255.255.255.128)
In the example above i get no connectivity between test-client and test-router. However, if i change the ip of the test-router to 172.17.0.1 and the test-client to 172.17.0.10 i can ping the test-router from the test-client. Seems like it will not forward traffic over the bridge if its a different network?
-
Did you modify the firewall rules on the LAN interface?
I assume you connected another computer with a private IP to be able to manage the pfSense.The default rule on the firewall only allows traffic from the 172.17.0.0/24 subnet.
You also need to create a firewall rule allowing traffic from the x.x.38.128/25 subnet.Did you also make sure that the test-client has as gateway the test-router?
-
Perfect! The rules was the problem, i tried fiddling with them earlier but i guess i got something wrong. Now its working! Thanks! Gonna reconfigure and change the live firewall later and see if it takes care of the original problem with the unreachable host.
