Portfowarding not working
-
i have a red and green interface. on the red i have 5 virtual ips 3 are mapped too my 3 servers one is ispconfig, one zimbra and the other is secondary dns server. i use port forwarding to enable traffic to my servers and i enabled NAT Reflection but i cant see my sites and when i do a dns test with checkdns.net it says none of my name severs responded, even when i use dig on one of my dns severs i get the same message. i dont know whats going on. ???
WAN TCP/UDP 53 (DNS) 192.168.1.123
(ext.: 67.40.148.249) 53 (DNS)WAN TCP/UDP 53 (DNS) 192.168.1.119
(ext.: 67.40.148.250) 53 (DNS)
[edit rule]
-
You need to resolve your DNS problem first.
Are you using a hosted DNS service, or are you trying to run your own DNS servers? Can you post your domain name?
-
im running my own name servers they worked before on my ipcop router. my domain is dial4tech.com
-
You seem to be running the DNS on 2 name servers - 67.40.148.249 and 67.40.148.250. From the WhoIS it looks like you are trying to run a DNS server on your home Internet connection? If so you must have static IP addresses.
Did you remember to forward port 53 (TCP and UDP) to your DNS servers?
-
yes i have two dns severs and i have 5 static ips two are used for the dns servers. yes i enabled tcp/udp
-
Can you post:
-
A diagram of your network, with IP ranges
-
A screenshot of the port forward rules
-
A screenshot of the WAN interface rules
-
A screenshot of the rules for the interface the DNS servers are on
-
Confirmation that the DNS servers can reach the Internet
-
-
here is my network diagram
http://www.gliffy.com/pubdoc/2123917/L.pngportfowarding rules
http://i1008.photobucket.com/albums/af204/sinnersaintx/pfsenseoopenwirelessnet-Firewall-NA.pngfirewall rules
Both server can ping yahoo.com
-
Nothing obviously wrong there.
It would be worth checking (tcpdump/wireshark) to see if the packets are reaching your DNS servers and if they aren't to see if they are reaching your pfSense host.
-
i dont see any dns traffic. when i open it with wireshark it says no pakets.
-
Nvm, I missed that you are testing your servers with an external tool…
-
i have nat refection unchecked. why do i need split DNS if i have my own name servers?
-
So, run tcpdump on pfSense - then you'll see if the packets are reaching the pfSense host.
-
im sorry but how do i do that?
-
i did it but it doesn't show anything
-
Then it suggests the packets aren't reaching your pfSense host.
One question, in your diagram you show your IP allocation as being 67.40.148.248/29. With that in mind, what's the default gateway? I see you're using .249 (typo in the diagram as 149), 250 and 251. .248 is the network address and .255 is the broadcast. That leaves .252 to .254, but you're using .254 for pfSense, so is it .252 or .253?
Also, have you configured VIPs for the other IP addresses?
-
67.40.148.248 is reserved .254 is for pfsense 255 is broadcast so .249 to .253 are usable. my isps default gateway is 63.231.10.241 which is set by pppoe. I have vips for the five usable ips
-
I assume your DNS servers can reach the Internet, as can the other hosts on the network? Having an off-network default gateway is odd, but I'm assuming that's normal for PPPoE (which I've never used).
If so, time to contact your ISP - if the packets aren't reaching the pfSense host then it means they are either blocking the traffic or there's a routing issue.
-
my dns servers can reach the internet and all other host on my network. I called my isp and they said that no ports where being blocked. but i noticed that i can reach my ispconfig server by useing the external ip http://67.40.148.249:8080 but when i us the domain name http://web1.dial4tech.com:8080 it wont work. when i do did on my dns servers it says connection timed out; no servers could be reached
-
Yes - if your DNS servers can't be reached then you can't use DNS names in your domain to reach any services on your domain… That really shouldn't be a surprise - and frankly if it is I'm not sure you should be running your own DNS servers (yes, I know that's a little harsh - but it's also true). Also note that I can't reach that URL you refer to - it's timing out for me - I'm assuming you remembered to do these tests from outside your own network.
At this point everything you've posted suggests either that you've got another device upstream that does filtering (DSL modem?) or your ISP is port blocking and their staff don't know that.
-
i understand how dns works i was just telling you that so you could understand better my situation. being able to reach my server with external ips means that they are working but my dns is being blocked some how. my isp says they aren't blocking anything. so i was thinking it may be my dns registrar.
-
Doubt it's your registrar since I can't hit your DNS servers directly with any port testing tool, using their IP.
Note that from the Internet I cannot reach the web server you specified.
-
it seems like my internal ips are only working on my lan. when i try to access the ip http:67.40.148.249:8080 outside my lan it wont work but i can on my lan. maybe my virtual ips aren't working.
-
Can you post a screenshot of the VIP configuration?
-
-
Nothing obviously wrong their either (though I'm not an expert on CARP/VIPs).
Next thing - what IP address is shown if you visit any of the "What's my IP" type pages such as this?
-
it shows my internal ip 192.168.1.82 but whatsmyip.org shows 67.40.148.249
-
The only last thing I can suggest is taking this to the CARP/VIP forum. I'm out of ideas I'm afraid.
-
i figured it out the qwest people told me the wrong ip range 67.40.148.249-253 its supposed to be 67.40.184.249-253 i noticed it when i was looking in the interfaces wan section lol. thanks for your help