4. [RESOLVED] https through virtual IP

[RESOLVED] https through virtual IP

  • A

    Hi,  I'm runing ver 2.0.rc3

    I have created a virtual IP which I wish to handle an https connection.  The https connection to the default wan address is directed to a different internal machine.

    In NAT I have an Inbound rule
    WAN TCP/UDP * * 200.XXX.XXX.163 443 (HTTPS) WebServer *

    200.XXX.XXX.163 is the virtual IP.

    The log show a:
    block Sep 1 19:04:43 LAN 192.168.0.XXX:443 190.XXX.XXX.221:2124 TCP:SA

    and the detail of the block states:
    @1 scrub in on em0 all no-df fragment reassemble
    @1 block drop in log all label "Default deny rule"

    My LAN rules are really relaxed for testing
    Pass * LAN net * * * * none

    I really rather not add a 1:1 rule with the webserver and the virtual IP.

    Can someone give me a clues as to what am I missing because well the connection is not working.

    Thanks.

    0
  • A

    Hmmm… I guess this has nothing to do with https as I just tried it with port 80 and same problem, so it must be something with the virtual IP that I don't understand.

    0
  • M

    can you give screenshots and remove your public ip information

    0
  • A

    Sure,
      Here they are.

    My goal is simple.

    I have a two web servers.
    One was dedicated only for http
    The other for https
    But I want to have a second https server
    For testing purposes, I simply set the http server to also serve https.
    Internally it all works just fine.
    I want the second https (the newer one) to be accessible from outside.  So I created the x.x.x.163 ipalias so I could direct the https traffic to that server, while using only one nic that is hooked up to the external router.

    After it didn't work I also created a nat entry for port 80 on that virtual IP to see if it was an SSL issue.  I got the same result, the same block, except that it says port 80 in the log.

    Thanks,






    0
  • A

    and the other two that didn't fit in the post.




    0
  • M

    try without destination alias
    how do you have public ip's? are you having continous block or something else?

    0
  • A

    Ok, I changed the entry to replacing the alias with the Ip of the server.

    Same result.

    Yes, it's a block.  (162-165) And I'm reaching the firewall from the outside wold with the .163 because I get the Firewall block entries at the exact time I try to access from the outside world.  The .162 is the regular address.  I used the 163 in the past (hooked up to another physical firewall), I stopped using it for a while, it is possible that the provider changed something, but I doubt it.

    I haven't posted the entry itself in NAT.  Here is the screenshot of that.


    0
  • A

    It's fixed!

    Thank you, when you asked about the block, I kept thinking, so I went and rechecked everything, duhhhh, how stupid of me, the subnet mask was WRONG.

    Geez,

    Thank you!

    0
  • M

    It's ok, but you're showing again your public ip's

    0
  • A

    So I set everything back to how I wanted it originally, and for the record having the destination Alias works fine.

    Thanks for the Public/IP warning.  I'll take it out again.  Thanks.

    Is there a way one can mark threads as "Answered" here?

    0
  • M

    edit your first post subject with [SOLVED]

    0
  • A

    Nevermind, it isn't solved.  Having the same problem again.  I have no clue as to why it started working and after a while it stopped working.

    Any ideas of what else too look for?

    0
  • A

    Well I Fixed it again.

    I think I found a bug.

    Whenever you make and changes to the System Advanced Firewall/NAT window, it changes the IP Alias to Network, rather than the Single address, which of course breaks this.  Uggh…

    Anyways, messing around the screen, I can't remember what the defaults where for this was, can someone remember me which ones should be check?

    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules...:

    Thanks,

    0
  • A

    I was wrong, changes in the System Advanced screen do not change the label Network.  The label Network is changed whenever you use anything other than a /32 mask.

    It turns out that it works just fine with the mask /32

    Whenever I re-save the Virtual IP it starts working again.

    But I just noticed something else I got the log entry:
    kernel: arp: 00:1e:58:39:1a:1e is using my IP address 200.XXX.XXX.163 on vr0!

    So I guess the provider did change something and that IP is assigned to something else, that would explain the weird erratic behavior.  The provider was absorbed by another provider, so I think that's the origin of the problem.

    Anyhow, thanks and please do let me know what the defaults are for:
    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules…:

    0
  • M

    @artgug:

    Disable NAT Reflection for port forwards:
    Disable NAT Reflection for 1:1 NAT :
    Automatically create outbound NAT rules…:

    I'm not sure if i have default settings, but working settings: check, check & uncheck

    0
  • A

    Thanks!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy