[SOLVED] Need HEEELP! My server cannot be seen by the internet!

tomsawyer2k5 · May 20, 2012, 8:29 PM

I have a pfSense router connected to two ISP connections (well, one isn't configured right now), and one LAN connection. The LAN is connected to a 20 port switch and my server is connected to the switch.

Before I installed a pfSense device, the server was connected to an older switch, which was connected to my old ISP. The domain I have at godaddy.com has my DNS set so that it redirects to the ISP's static IP. From there, somehow the server is forwarded to the public IP, I assume.

So I forwarded port 80 to the internal IP address of my server box via port forwarding. But now I get a DNS rebinding error 501. When I disable the DNS rebinding errors, it simply redirects me to the server login page. But when I try to use the URL from an outside computer, the URL fails and google says the site doesn't exist. I don't know what to do and this is making me nervous because I'm installing this for someone else :o Please help me, I NEEEED HELP DESPERATELY!!

podilarius · May 4, 2012, 2:32 AM

Did you create a virtual IP or are you using the WAN address to redirect web traffic? If you are using the WAN address try putting the pfSense web configurator on a different port and restart. Second, if the server was configured to respond with the external address, then you might still have a configuration problem. Are you able to surf the internet from the server? Also, check your routes.

tomsawyer2k5 · May 4, 2012, 3:50 AM

I did not create any virtual IPs. I simply forwarded port 80 outside to port 80 inside to a single LAN IP, aka my server. So yes I'm probably using the WAN address. I'm not at the pfSense device right now so I cannot check.

So you mean put the pfSense configurator on any port besides the one the server is using, right? Then wouldn't that affect the url I have to use to login to the web configurator? Like is it simply xxx.xx.xxx.xxx:port number ?

I believe the server is configured to respond with the external IP address. How is that a problem? Or are you asking if the server has its own LAN IP or if it's IP is actually the external IP? If this is the case, then can I somehow configure the server to have a LAN port and be forwarded to the external IP?

Or perhaps the above is the reason why it's not working in the first place. It's expecting the external IP, but it is in use by the pfSense device and hence it fails to connect. Interesting.

Sadly there is no browser on the server machine because it is UNIX w/custom software.

Well, I'll post a reply by tomorrow at 9:00am CST, so hopefully someone can be around lurking in the forums just in case. Of course this is a request :)

chpalmer · May 4, 2012, 5:46 AM

On your WAN firewall rule for port 80 enable logging. That way you can monitor if its getting there.

stephenw10 · May 4, 2012, 9:32 AM

Easiest (and quickest) way to get this resolved is for you to post screenshots of your port forward rules and your firewall rules.

You need to make sure your pfsense webgui is set to http (port 443) or set it to some other port. You need to disable webgui redirect in System: Advanced: Admin Access: in the gui.

Steve

tomsawyer2k5 · May 4, 2012, 2:05 PM

Still not working with the suggestions. Lemme get some screenies up :(

Update: Here are the screenies:-

http://img851.imageshack.us/img851/2388/pfsense1.jpg
http://img815.imageshack.us/img815/7746/pfsense2.jpg
http://img832.imageshack.us/img832/5104/pfsense3.jpg
http://img39.imageshack.us/img39/2643/pfsense4.jpg
http://img155.imageshack.us/img155/5338/pfsense5.jpg

Hope these work. I tried changing the Server port from 80 to 443, but no good.

Update 2: OMG OMG, this is gonna sound stupid. I haven't solved the issue yet, but it seems like the LAN IP for the server is not pinging, which either means that the local IP is wrong, or it's not responding. Because it's a locked system I do not have access to this UNIX box and cannot find out what the physical IP on the box is. So I'll keep you guys in the loop.

stephenw10 · May 4, 2012, 2:15 PM

So you are still seeing nothing from outside your network and being redirected to the pfsense gui from inside?

I don't see a problem with your firewall rules or port forwarding. With the dns override in place I would expect you to be able to access the server internally.

By default the pfSesne webGUI is on https (port 443). In order to make access to it easy it has a redirect setup so that requests on port 80 are switched to 443. Thus in its standard configuration requests on port 80 or 443 are picked up by the webGUI. Though this is normally only a problem from within the network.

Try connecting to the server from outside your nework and then look in the firewall logs to see if anything is being blocked. If nothing then try what chpalmer suggested above, enable logging on the firewall rule and retry to connect from outside your network.
Since incoming packets hit the port forwarder and then the firewall, if you see packets being passed then you know those rules are working correctly.

Steve

Edit: Read your OMG. That would explain it! ;)

tomsawyer2k5 · May 4, 2012, 2:48 PM

Thought I'd update the situation: I just found out that the device has 4 ethernet ports in the back! This was after I was granted access to the server, which I bought! ::) (It was setup by an outside company and they didn't want to give me access. But technical support had no problem giving me access, go figure!) So seems like the cable was plugged into the wrong port and I got the box to ping. But the server still isn't viewable online! So still working on that.

stephenw10 · May 4, 2012, 2:53 PM

If I was you at this point I'd remove everything you have done and start again. Any previous results are now obviously invalid. It all looked correct though. :)
One thing I would say is that you added a dns override and I would have enabled NAT reflection in that situation.

http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Steve

tomsawyer2k5 · May 4, 2012, 3:09 PM

Ok. I was afraid to add NAT reflection because the docs or forums said somewhere that it's for Really Advanced configuring, and that set a switch in my mind that it changes a major function of the firewall.

Oh, I'm able to access the server locally now with the internal IP :o :) So all I need to figure out is how to direct that IP to my URL properly.

That link you gave me is very interesting…still reading :)

BTW, Steve, can you see my post titled "Having issues with DNS server settings with 2 ISPs (Failover issues)"? Look at those screenies and tell me what you think, thanks.

tomsawyer2k5 · May 4, 2012, 4:45 PM

So I tried what was indicated, but no go. Should I reconfigure everything and is it necessary to reset everything? How do I do a complete reset?

stephenw10 · May 4, 2012, 5:01 PM

It's probably not necessary to reset everything but you can do it in Diagnostics: Factory defaults: if you need to.

Where are you at now?

Steve

tomsawyer2k5 · May 4, 2012, 5:13 PM

Actually, I found out that I configured my DNS wrong, specifically my A host. I was supposed to use an @ symbol but instead I typed in "Comcast" assuming that I could name it whatever I want. But no, the A record has to have a freakin @ symbol :P ::) . So now I gotta wait for the correct settings to propogate. So perhaps it wasn't the firewall at all that was causing issues :o

stephenw10 · May 4, 2012, 5:16 PM

That would also explain it!
You should be able to test the forwarding setup though by just using your WAN IP from outside your network instead of URL.

Steve

tomsawyer2k5 · May 4, 2012, 6:26 PM

Ok, now the "501: Potential Rebind DNS attack detected" error is back >:( God, what did I do wrong to you? :'( :'(

When I disable DNS rebinding checks, the URL takes me to the login of my pfSense device! What is going on?? Should I switch pfSense to a non-internet port? What should I change it to, and then how do I login to the device if I do so?

Tried enabling SSH, but that did no good. What I don't understand is that if I forwarded port 443 to 172.20.2.45, then why is the url getting routed to the login of the pfSense device? Perhaps there is another setting within pfSense that redirects internet IP to a specific address on my LAN network?

Update: Oh no! I put in port 25 for the webconfigurator and now I cannot get in. Gives me "Webpage might be temporarily down" and then Error 312 Unsafe port. Now what?

Update 2: Set pfSense device to factory defaults and did my usual settings. Now I'm back to stage 1 with the 501 DNS rebind attack error. How do I get my server to show up when I type in the URL instead of this error or the pfSense login???

stephenw10 · May 4, 2012, 8:27 PM

From your results it looks like you are testing from inside your network. In order for this to work, using URLs, you need to enable nat reflection or split dns.
This doesn't test the port forward correctly though, you need to test it from a remote location or using a 3g modem etc.

Steve

tomsawyer2k5 · May 5, 2012, 12:47 AM

I have been using my 3G smart phone to see if I can reach the browser, and I get the same error. If I tell the pfSense device to ignore the DNS rebinding, then it brings me to the pfSense device login screen.

So it seems that the only issue I'm having is forwarding my LAN server to my static IP. It's just that my router's login takes priority over what I've forwarded? And I followed that guide, but no change.

Maybe I'm missing something and need a tutorial on how to setup a server behind pfSense? I'm trying to forward my server that has a LAN IP to my WAN IP via port 80. This is what I've been doing.

Update: Ok, so I bypassed the pfSense router and used a DIR-655 wireless router which was used strictly for wireless only, and IT WORKS!!! I am able to connect to my server on the internet via the virtual server settings in this router. BUT, the whole point is to have failover functionality (which I'm still having trouble with the 2nd ISP) and route the server through the pfSense device. So I don't know where this leaves me, except in a sour area. Gonna keep trying to route it through the pfSense device.

stephenw10 · May 5, 2012, 1:01 AM

This is very weird. You shouldn't need to do anything more than this.
You shouldn't be able to reach the pfSense webGUI from WAN at all unless you open a firewall hole to it directly.
Your firewall rule only allows in traffic that has destination 'your server'. :-
Are you sure there's no way your phone is using wifi or has cached the page?
Try asking friend to access it to be sure.

Steve

Edit: I can't see anything at saltcreekimaging.com from here in the UK. :(

tomsawyer2k5 · May 5, 2012, 3:21 AM

You gotta use https:// before the url, otherwise it won't work. It's a server config thing. And the SSL certificate is out-of-date, but I'll update that later.

I was also able to get it to work with the DIR-655's port forwarding. So this is very wierd.

So right now I'm attempting to get it to work on the pfSense device.

Update: No good, doesn't work via pfSense. If only I could figure out how the DIR-655 does port forwarding and apply that to the pfSense device, then perhaps I can make it work. Anyone?

stephenw10 · May 5, 2012, 9:39 AM

OK I see your site using https.
If it only works via https then you need to forward port 443 not 80.

Steve

It's definitely running on the standard port, 443.


pfTop: Up State 1-27/27, View: default, Order: dest. addr
PR    D SRC                   DEST                 STATE   AGE   EXP  PKTS BYTES
tcp   I 192.168.2.10:1545     50.193.66.117:443     9:9     85    21    24  8387
tcp   O 192.168.2.10:1545     50.193.66.117:443     9:9     85    21    24  8387