Another Port Forwarding Post
-
This morning i placed my PC 1 with the Virtualbox web server back on to the ATT router in the DMZ mode, The same way the PFSense box is. I am able to get to the website now with out issue and canyouseeme.org reports that it can see me on port 80.
This would lead me to believe that something in the PF box is not working properly. It lets outbound traffic out but no inbound apparently.
So being new to this where should i look to fix this? Could it be the configuration of the WAN card, LAN card? I know its got to be something simple and im just missing it.. I even went as far last night as changing the IP scheme of the ATT box to a 172.x.x.x network because even though pfsense was in the dmz i thought maybe the 2 networks have the same ip layout was causing problems.
I know dealing with n00bs can be a pain but the help is appreciated.
-
And again!!! If your not seeing the traffic on PFSENSE, there is nothing you can do on pfsense to forward something that is NOT THERE!!
So DMZ mode your fowarding to what? What IP address does pfsense get on its wan? Again if you can not see the traffic from canyouseeme.org its something on your box in front of pfsense, not pfsense that is your problem.
You state you "ATT box to a 172.x.x.x network because even though "
Sure sounds like double NAT to me.. Put your ATT box in bridge mode so that pfsense gets a PUBLIC IP, if that does not work - then what is pfsense wan IP? Access your ATT box and directly forward your port 80 to that IP, then on pfsense forward to what you want.
You state pfsense has public IP 76.233.x.x , are you gettingthat via dhcp, or are you setting it??
So I have seen this issue with dmz mode, if you have other forward. Lets say I have 192.168.1.10 and .20 as private behind a Nat device. And I forward port 80 to .10 and put .20 in dmz.. .20 never sees any 80 traffic because its forwarded to .10 Could that be your problem with this dmz mode you mention and how it works when your connecting to your att box directly.
edit: Another thing that confuse some people - if their device in front of pfsense is in bridge mode, and pfsense is getting a wan IP from dhcp server at the isp. When they change in pfsense for the pc or whatever that IP can not change because of different mac. So what they thought was their public ip before, is no longer their public IP. And when they switch in the other device they get their old IP back again..
You need to verify your public IP, and you need to verify that pfsense is seeing the traffic before you look to why pfsense is not forwarding anything.
-
Ok. The 76.233.x address is the public ip that of sense gets when it's connected to the AT&T box which is in dmz mode. If I have web server connected to the pfsens box then the web server gets no traffic. If I take the pfsens box out of the network and place the web server in the dmz of the AT&T box then traffic to the web server passes just fine.
So what I don't understand is if the web server works fine on the AT&T box in the same dmz mode as the pfsense box but then don't work when the web server is going through pfsense when the pfsense box is connected to the dmz port of the AT&T box then how can it not be a pf problem. Server works in front of it just fine. Just not after.
My 76.233.x address is the public up from AT&T I have had that same ip for 10 years. When the AT&T box is put in dmz mode it assigned that ip to that device that sits on the dmz.
I can sit and look at the logs all day. But I still can not tell you what I'm looking at. I don't know how to read the log properly. This is all new to me and I'm only doing it to learn something new. But I'm not learning anything other but where the beer and ibuprofen is
I'll try some more tonight. I'm posting this on my iPhone so I may not have covered everything.
-
Not sure what you going to try, port forwards take like 2 seconds.. You create the NAT pfsense it creates that and the firewall rule, unless your unchecking for it to do that.
From what you posted - there was NO inbound traffic to your pfsense IP to port 80.. That traffic there was something talking to dropbox.com Mostly a box behind pfsense.
I already showed how simple it is to verify your traffic.. Start a sniff on your wan interface.. generate some traffic on canyouseeme for some ODD port so you can see that traffic and IP it comes from, then create traffic to port 80.. Do you see inbound from that same canyouseeme IP to port 80 from some random source port?
So when you connect this box directly to your att box it GETS the public IP, when you connect it to pfsense it gets a PRIVATE IP.. You sure your listening on this private IP? You sure you don't have some firewall on this webserver?
Step 1 in troubleshooting anything with pfsense is to make sure pfsense is SEEING the traffic on its wan.. There is no pointing in testing anything behind pfsense if your not 100% sure that traffic is getting to pfsense WAN.. As stated you can not forward something that is NOT there.
What you have shown so far is that there is NO Inbound traffic to pfsense wan port on port 80.
-
Ok. When. I get home ill do as you say and verify the traffic.
I know how difficult it is to try and tell someone how to do something they have never touched before and I appreciate the patience with me.
-
I can walk you through verification of traffic getting there, that is no problem - if need be I am open to using say teamviewer and we can walk through it together via your PC, where we can chat and you can see everything I do, etc.
But until we can verify there is traffic getting to the pfsense, there is nothing to troubleshoot ;)
-
OK!!!! Good NEWS!!! LOL IT WORKS!!
So today while at work I had nothing going on so I decided to spend some time reading 2 books that for a beginner with pfSense and real networking need to have. one is "pfSense: the Definitive Guide" and the other is "pfSense 2 Cookbook".
After taking the time to slow down and actually read your posts I sat down this evening to do exactly as you stated. There was no traffic inbound. At that point I decided I was going to start everything from scratch. I reinstalled pfSense and started at the beginning. As I started setting things up I had a separate machine tied to the AT&T box to watch what it was doing as well. I noticed that even though my VirtualBox PC was connected to the pfSense network it kept popping up on the AT&T box as well. This being exactly what you had suspected, a double NAT. This is where the 2 books came into play. They helped me understand what you were saying with the double NAT and it gave me some insight on how to fix the issue.
So I unplugged every connection from the pfSense box with the exception to the PC that runs the VirtualBox web server and with my extra PC tied to the AT&T box I completely blew out all the previous NAT's and reset the unit to factory defaults. Once that was done I noticed that the double NAT went away. I then did the test to check for traffic to the pfSense box using canyouseeme.org and sure enough, pfSense was now seeing traffic!!
I then set up the NAT's for the ports I Needed on the pfSense box and sure enough my web sites were back live as well as my CCTV DVR. Everything is working and I now have a much better understanding of pf and real routing.
I would like to say thanks to you johnpoz for sticking with me even though it was like teaching a wall how to be a door. With that I would like to tell everyone out there looking for help this, SLOW DOWN!! get yourself the two books I mentioned and read them front to back and when you come here asking the guru's for help actually read their posts, follow their process and don't be stubborn, you asked for help for a reason
-
Well that is great news.. Glad you got it sorted..
Sure your going to love pfsense, see how easy it was to create a nat ;)
-
Yep. I have now started adding packages and all is going well except for squid and lightsquid. But ill figure them out tomorrow. My brain needs a rest and since i have been playing with pf since Saturday non stop my wife thinks I'm a stranger ahaha
-
This is your home network right? Other than playing with, normally home networks have no use of a proxy. Now use to use them back in the day when needed to keep an eye on teenage sons internet usage and filtering of porn ;)
Unless your just wanting to play/learn about how to use a proxy in pfsense - not sure I would install. Complicates the setup without justification most likely.
-
I initially wanted to install it for the web cache and to monitor where my son goes on his ipad. The i decided i really dont need it so i deleted it. I will eventually sent up another box i have to do testing and learning on, now that i have a live box i dont want to go jacking it up LOL.
Everything is working except for 1 thing. When i go to my website using the same machine the virtualbox is on, it forces me to https and then gives me a dns issue.
I can reach the websites just fine from any device on the network except for the PC hosting the virtual box.
-
And how are you trying to access the website? Using public IP/fqdn using nat reflection? If you local and accessing local IP, pfsense is not in the picture you never talk to pfsense when doing that.
Do you have nat reflection enabled if your wanting to access your local network using public IP for pfsense just to forward you back in.
-
Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address. MY windows 7 PC that has virtualbox running on it with the web server. Access to the site is fine from any computer on the network, just not the host PC with VirtualBox running on it.
What it does is when i put the web address in it automatically directs me to the HTTPS address which don't exist, no certificates for it. Anyway i just went into my web server and turned SSL from default to off on each domain and that fixed the problem. Only problem is if i ever decided to do SSL on those sites ill have to figure out the real reason it didn't work.
But to answer the other half of your question. I do have NAT reflection on.
-
"Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address."
then pfsense has nothing to do with that traffic. You only talk to pfsense if your wanting OFF the 192.168.1.x network.
If you don't have SSL cert, then no your webserver can not serve up SSL. If you want to access SSL from outside pfsense, then you would need to forward 443.
But again if your just talking between 2 clients on your same 192.168.1.x network - then pfsense is not involved in that conversation. Unless you were bridging to interfaces on pfsense, and one machine was connected to 1 and other connected to other interfaces on the pfsense bridge. Other than sort of setup - no pfsense is not involved in local network traffic.