Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant access http on specific site, dont understand why.

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 4 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sussox
      last edited by

      I have a problem. From within my firewall bridge, i can't access http on a specific IP (www.hitta.se, 195.149.150.163).
      I can ping the ip from a computer behind the firewall, but all connections to port 80 just times out. If telnet to port 80 from a shell on the firewall itself i get a http reply.

      I have no rules that blocks that specific ip and i can browse other sites normally. What is going on?

      Any hints how i can find whats causing this?

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        http://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • S
          sussox
          last edited by

          Interesting.. Seems to have something to do with the netmask. I temporary get access to the site when changing netmask (to /24), but then in a couple of seconds it stops working again.. And equal when i change back to /25.

          My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

          Im not 100% sure what netmask to use, maybe someone can help me.. My setup as follows:

          WAN-GW (bridge) using xx.xx.38.193/25 on WAN and xx.xx.38.194/25 on LAN
          LAN-GW (NAT-firewall behind the WAN-GW) using xx.xx.38.195/25 on WAN and 192.168.10.1/24 on LAN.

          Is this all wrong ?  ???

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Nope…...use /28 instead if it's a Class C network.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

              xx.xx.38.0/25 is
              xx.xx.38.0 to xx.xx.38.127

              If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

              From what you describe about the IPs you have a bridge.
              But then you say you have an IP on the LAN as gateway?
              Either a bridge, or a NAT-device. Not both.

              What is the gateway of your NAT-router behind the pfSense? The bridge IP .38.194 ? This would be wrong.

              Also you shouldn't assign a global IP out of your range to the bridge itself.
              The idea behind running the as a bridge is that you dont have a point of attack.
              –> The router doesn't have an IP which is reachable.
              The only IP you should have on the bridge is a private one from a separate management interface.
              If not that then just a different IP-range on the LAN side.
              (A plus point of this is, that you dont waste two public IPs ;) )

              But imo this has all nothing to do with your problem of not being able to access the IP in your first post.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • S
                sussox
                last edited by

                @GruensFroeschli:

                My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

                xx.xx.38.0/25 is
                xx.xx.38.0 to xx.xx.38.127

                If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

                Yes. 193-217 is correct. But what value to choose in the pfsense dropmenu at the WAN/LAN interface? There is 1-32, what would 128/25 correspond to? (28 as Supermule says?)

                I have to check the setup of the bridge later then, as the setup is configured now, there are 2 pfsense-boxes, WAN-GW(bridge) and LAN-GW(NAT).. I followed a guide when configuring the WAN-GW it, where ip's where assigned like that :)

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  128/25 would correspond to x.128 - 255
                  /24 means you have blocks of 256 IPs
                  /25 are blocks 128 IPs
                  /28 are blocks of 16 IPs
                  i dont think you have a /28, since .193 - .217 are already more than 16 IPs.

                  Unless you can tell us what gateway your ISP gave you, there's not much a point in speculating about the correct subnet.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • S
                    sussox
                    last edited by

                    My gateway from the ISP is xx.xx.38.129

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Ok, then your subnet is /25

                      What i would do:
                      Set the WAN IP of your bridge device to a private IP (172.17.0.1/24)
                      Set the LAN IP of the brdige device to a private IP (172.17.0.2/24)

                      Set the WAN IP of the NAT device to x.193/25
                      Use whatever IPs are left for wherever they are supposed to be.

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • S
                        sussox
                        last edited by

                        Ok, thanks!

                        Work is done for today but i will try this later!

                        1 Reply Last reply Reply Quote 0
                        • S
                          sussox
                          last edited by

                          Iv'e done some testing now but i cant get it to work. (I'm probably stupid  :) )

                          I set up a lab like this.

                          test-router(xx.xx.38.129) <-> pfsense-bridge(WAN 172.17.0.3/24 (gw: xx.xx.38.129) , LAN 172.17.0.4/24) <-> test-client (xx.xx.38.200/255.255.255.128)

                          In the example above i get no connectivity between test-client and test-router. However, if i change the ip of the test-router to 172.17.0.1 and the test-client to 172.17.0.10 i can ping the test-router from the test-client. Seems like it will not forward traffic over the bridge if its a different network?

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            Did you modify the firewall rules on the LAN interface?
                            I assume you connected another computer with a private IP to be able to manage the pfSense.

                            The default rule on the firewall only allows traffic from the 172.17.0.0/24 subnet.
                            You also need to create a firewall rule allowing traffic from the x.x.38.128/25 subnet.

                            Did you also make sure that the test-client has as gateway the test-router?

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • S
                              sussox
                              last edited by

                              Perfect! The rules was the problem, i tried fiddling with them earlier but i guess i got something wrong. Now its working! Thanks! Gonna reconfigure and change the live firewall later and see if it takes care of the original problem with the unreachable host.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.