Cant access http on specific site, dont understand why.

sussox

I have a problem. From within my firewall bridge, i can't access http on a specific IP (www.hitta.se, 195.149.150.163).
I can ping the ip from a computer behind the firewall, but all connections to port 80 just times out. If telnet to port 80 from a shell on the firewall itself i get a http reply.

I have no rules that blocks that specific ip and i can browse other sites normally. What is going on?

Any hints how i can find whats causing this?

Perry

http://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites

sussox

Interesting.. Seems to have something to do with the netmask. I temporary get access to the site when changing netmask (to /24), but then in a couple of seconds it stops working again.. And equal when i change back to /25.

My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

Im not 100% sure what netmask to use, maybe someone can help me.. My setup as follows:

WAN-GW (bridge) using xx.xx.38.193/25 on WAN and xx.xx.38.194/25 on LAN
LAN-GW (NAT-firewall behind the WAN-GW) using xx.xx.38.195/25 on WAN and 192.168.10.1/24 on LAN.

Is this all wrong ?  ???

Supermule

Nope…...use /28 instead if it's a Class C network.

GruensFroeschli

My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

xx.xx.38.0/25 is
xx.xx.38.0 to xx.xx.38.127

If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

From what you describe about the IPs you have a bridge.
But then you say you have an IP on the LAN as gateway?
Either a bridge, or a NAT-device. Not both.

What is the gateway of your NAT-router behind the pfSense? The bridge IP .38.194 ? This would be wrong.

Also you shouldn't assign a global IP out of your range to the bridge itself.
The idea behind running the as a bridge is that you dont have a point of attack.
–> The router doesn't have an IP which is reachable.
The only IP you should have on the bridge is a private one from a separate management interface.
If not that then just a different IP-range on the LAN side.
(A plus point of this is, that you dont waste two public IPs ;) )

But imo this has all nothing to do with your problem of not being able to access the IP in your first post.

sussox

@GruensFroeschli:

My IP-range: xx.xx.38.193 - 217 (i have got the netmask 255.255.255.128 assigned from my isp, and iv'e translated this to xx.xx.38.0/25 correct?

xx.xx.38.0/25 is
xx.xx.38.0 to xx.xx.38.127

If you really have the IPs .38.193 - 217 then you need to use the subnet xx.xx.38.128/25.

Yes. 193-217 is correct. But what value to choose in the pfsense dropmenu at the WAN/LAN interface? There is 1-32, what would 128/25 correspond to? (28 as Supermule says?)

I have to check the setup of the bridge later then, as the setup is configured now, there are 2 pfsense-boxes, WAN-GW(bridge) and LAN-GW(NAT).. I followed a guide when configuring the WAN-GW it, where ip's where assigned like that :)

GruensFroeschli

128/25 would correspond to x.128 - 255
/24 means you have blocks of 256 IPs
/25 are blocks 128 IPs
/28 are blocks of 16 IPs
i dont think you have a /28, since .193 - .217 are already more than 16 IPs.

Unless you can tell us what gateway your ISP gave you, there's not much a point in speculating about the correct subnet.

sussox

My gateway from the ISP is xx.xx.38.129

GruensFroeschli

Ok, then your subnet is /25

What i would do:
Set the WAN IP of your bridge device to a private IP (172.17.0.1/24)
Set the LAN IP of the brdige device to a private IP (172.17.0.2/24)

Set the WAN IP of the NAT device to x.193/25
Use whatever IPs are left for wherever they are supposed to be.

sussox

Ok, thanks!

Work is done for today but i will try this later!

sussox

Iv'e done some testing now but i cant get it to work. (I'm probably stupid  :) )

I set up a lab like this.

test-router(xx.xx.38.129) <-> pfsense-bridge(WAN 172.17.0.3/24 (gw: xx.xx.38.129) , LAN 172.17.0.4/24) <-> test-client (xx.xx.38.200/255.255.255.128)

In the example above i get no connectivity between test-client and test-router. However, if i change the ip of the test-router to 172.17.0.1 and the test-client to 172.17.0.10 i can ping the test-router from the test-client. Seems like it will not forward traffic over the bridge if its a different network?

GruensFroeschli

Did you modify the firewall rules on the LAN interface?
I assume you connected another computer with a private IP to be able to manage the pfSense.

The default rule on the firewall only allows traffic from the 172.17.0.0/24 subnet.
You also need to create a firewall rule allowing traffic from the x.x.38.128/25 subnet.

Did you also make sure that the test-client has as gateway the test-router?

sussox

Perfect! The rules was the problem, i tried fiddling with them earlier but i guess i got something wrong. Now its working! Thanks! Gonna reconfigure and change the live firewall later and see if it takes care of the original problem with the unreachable host.