Can't connect to a pc behind my firewall from remote computer



  • Okay, I have setup a mail server behind my pfsense box.  The mail server is working perfectly for everyone in my family except my sister.  I cannot even connect to my IP address via browser or terminal/ping.  It just times out.

    I'm thinking that somehow her IP address was blocked.  I have no idea where to go in pfSense to find this information though.

    Also, to make matters more difficult, she has a dynamic IP address so I know what it is right now but is there a way to stop this from happening again?


  • Rebel Alliance Global Moderator

    Her IP would not be blocked unless you specifically setup a rule to block it, or on your forwarding rules you excluded her IP?

    when you say "you" can can not connect??  Are you trying to access your public outside IP from a box on your local private side?  That would be nat reflection and would have to be enabled.

    When you say she can not connect - what port is she trying to connect to? 25? That would be the smtp port, many many isps block outbound access from the isp network on that port.

    Some details would e helpful, what port(s) is she needing to connect to?  What ports do you have forwarded?  And do you have any source Ips/network/ports in the rules?



  • @johnpoz:

    Her IP would not be blocked unless you specifically setup a rule to block it, or on your forwarding rules you excluded her IP?

    when you say "you" can can not connect??  Are you trying to access your public outside IP from a box on your local private side?  That would be nat reflection and would have to be enabled.

    When you say she can not connect - what port is she trying to connect to? 25? That would be the smtp port, many many isps block outbound access from the isp network on that port.

    Some details would e helpful, what port(s) is she needing to connect to?  What ports do you have forwarded?  And do you have any source Ips/network/ports in the rules?

    Sorry, I will try to be more specific.  Here is the situation:

    My setup (at my house):

    • pfSense > Zimbra Mail Server

    Her setup (at her house – remote):

    • Uses thunder bird to manage emails.
    • Tried to get mails and nothing
    • Tried to login to Zimbra web client (port 80) but nothing comes up
    • Went to command prompt and pinged my Static IP but it timed out
    • Looked at her hosts file and there was nothing blocking her connection to my server

    --> As mentioned I'm running Zimbra as the mail server.  The mail is connected via SSL so the port 25 isn't an issue.  The web client is not working at all.

    My parents are setup the same as her and they can connect and retrieve their mail without a problem (both with Thunderbird and webclient).

    All three of us are with the same ISP (Teksavvy).

    I can get emails on my computers within my LAN as well as my mobile phones and my parents can on their computers at their house and their mobile phones.

    I just keep timing out at my sisters house.  I figured there was a system within pfSense which blocked an IP address if certain rules took place.

    Not sure how to debug this issue, so if you can help and point me where to look I would appreciate it.


  • Rebel Alliance Global Moderator

    I would do a trace route from her machine to your IP.

    I assume she is windows?  So example, replace the 8.8.8.8 with your public IP from her house

    
    C:\Windows\System32>tracert 8.8.8.8
    
    Tracing route to google-public-dns-a.google.com [8.8.8.8]
    over a maximum of 30 hops:
    
      1     2 ms    <1 ms    <1 ms  pfsense.local.lan [192.168.1.253]
      2    31 ms    23 ms    30 ms  c-24-13-176-1.hsd1.il.comcast.net [24.13.176.1]
      3    11 ms    10 ms    11 ms  te-1-2-ur07.mtprospect.il.chicago.comcast.net [68.85.131.149]
      4    12 ms    10 ms    11 ms  te-8-3-ur08.mtprospect.il.chicago.comcast.net [68.87.231.70]
      5    14 ms    72 ms    13 ms  te-1-2-0-7-ar01.area4.il.chicago.comcast.net [68.86.187.193]
      6    15 ms    15 ms    15 ms  pos-3-6-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.95.9]
    snipped
    
    

    You sure she doesn't have a firewall blocking traffic to you?  A host file would have NOTHING to do with accessing an IP.  Are you trying to access via a FQDN?  ie something like email.yourdomain.tld or something.no-ip.info ??

    Does this resolve?  From a cmd line on her machine do a nslookup to the host the FQDN your trying to access.

    Example

    
    C:\Windows\System32>nslookup
    Default Server:  pfsense.local.lan
    Address:  192.168.1.253
    
    > www.google.com
    Server:  pfsense.local.lan
    Address:  192.168.1.253
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2607:f8b0:400f:801::1012
              74.125.225.212
              74.125.225.208
              74.125.225.209
              74.125.225.210
              74.125.225.211
    
    

    again replace my example with the FQDN you are trying to use.

    Also post your firewall rules on the WAN and forwarding rules - do you have anything in there that would block her IP?  Do you have something setup as source for the rules?

    If she is reaching your IP, you should see her access being block if she is not able to access.  Or turn on logging on your rules, do you see her traffic being forwarded?

    Have you allowed ICMP on pfsense, if you have not then nobody would be able to ping you.. Example see my firewall rules and nats, see the icmp allow..  If you don't have a rule allowing this.. Then nobody would be able to ping you.

    Traceroute should give us good info from her, as long as nslookup if your using FQDN to try and access.  And check your firewall logs to see if you see her traffic.  Make sure you enable logging on your forward/wan rules and look for blocks.






  • Thanks for pointing me in the right direction.  The trace route showed that she wasn't getting beyond 1 hop past the router before timing out.  The IP address for her seemed to be from a weird subnet for this ISP so I rebooted the model/router and then it worked for her.

    Strange.

    Thanks again!


  • Rebel Alliance Global Moderator

    so she could go to other internet sites?  But not yours?  Prob others that you were just not aware of.

    Glad I could be of help, and that its now working.


Locked