Problem with Browsing my website

hossam.khalili

Hello there,

the IP Address for my website is 10.0.0.2 with gateway 10.0.0.1
my workstation on the company 192.168.0.0 gateway 192.168.1.101

i can browse 10.0.0.1 the gateway and open the webpage for the pfsense, but I can't browse my website 10.0.0.2 from the workstation

How can I make the workstation browsing the website without making bridge between the LAN's

please help,
thanks.

wallabybob

I presume @hossam.khalili:

How can I make the workstation browsing the website without making bridge between the LAN's

Please help by providing additional information.
What is the name of the pfSense interface on the 192.168.1.x network?
What is the name of the pfSense interface on the 10.0.0.x network?
Do you have the default firewall rules?
What does the browser report on attempting to access the web site? What URL do you use?
Does your access attempt appear in the pfSense firewall log (Status -> System Logs, click on Firewall tab)?

hossam.khalili

thanks for reply,

the name of 192.168.1.x LAN
the name of 10.0.0.x Orange
and i use the default firewall rules
no it's not appear on firewall log 
and this's the message when browse it from google chrome "Network Error (tcp_error)

A communication error occurred: "" 
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.

For assistance, contact your network support team.

thanks

wallabybob

Default firewall rules allow all accesses arriving on LAN interface and block all accesses arriving on other interfaces. Your web browser access to server n Orange interface should be allowed by firewall rules. Perhaps the Orange interface is not in the correct state. What is the output of pfSense shell commands:```
/etc/rc.banner ; ifconfig

johnpoz

"and i use the default firewall rules"

When you create a new interface (opt1) and give it a name - it does not get any default rules like the lan interface gets.  you will have to create the firewall rules you want traffic coming into this interface to be able to do.

If you want it to be able to access your lan network 192.168.1.x then you will have to create that rule on the orange interface rules.

wallabybob

@johnpoz:

If you want it to be able to access your lan network 192.168.1.x then you will have to create that rule on the orange interface rules.

Original post said there was problem accessing website on the orange network from LAN. That should be allowed by default rules.

hossam.khalili

thank you everyone for reply,

until i can't fix the problem, i attached images for my LAN 192.168.1.x and the orange 10.0.0.2 rules i think that will be help

thanks a lot.

stephenw10

I don't see any attached images.  :-\

Please post the output of the commands Wallabybob asked for above.

How are you trying to access the website, by URL or by IP?

Steve

hossam.khalili

Sorry
this's the attached Image.
I tried by URL and by IP.
thanks

hossam.khalili

and this the output from the shell commands:
/etc/rc.banner ; ifconfig

–-----------------
*** Welcome to pfSense 2.0.2-RELEASE-pfSense (i386) on jrcfw01 ***

LAN (lan)                -> re2        -> 192.168.1.101
  WAN (wan)                -> pppoe0    -> 212.38.147.97 (PPPoE)
  ORANGE (opt1)            -> re1        -> 10.0.0.1
  BLUE (opt2)              -> re0        -> 172.192.1.1
  WAN2 (opt3)              -> nfe1      -> NONE (DHCP)re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:57:a5
        inet 172.192.1.1 netmask 0xffffff00 broadcast 172.192.1.255
        inet6 fe80::214:d1ff:fe1a:57a5%re0 prefixlen 64 scopeid 0x1
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:58:ee
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::214:d1ff:fe1a:58ee%re1 prefixlen 64 scopeid 0x2
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
        inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
fwe0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 02:11:d8:60:bd:9d
        ch 1 dma -1
fwip0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
        lladdr 0.11.d8.0.1.60.bd.9d.a.2.ff.fe.0.0.0.0
nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,linkstate>ether 00:1b:fc:d8:b3:cd
        inet6 fe80::21b:fcff:fed8:b3cd%nfe0 prefixlen 64 scopeid 0x6
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
nfe1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether 00:1b:fc:d8:b7:00
        inet6 fe80::21b:fcff:fed8:b700%nfe1 prefixlen 64 scopeid 0x7
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
        status: no carrier
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
pflog0: flags=100 <promisc>metric 0 mtu 33200
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb
        nd6 options=43 <performnud,accept_rtadv>pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1454
        inet6 fe80::214:d1ff:fe1a:57a5%pppoe0 prefixlen 64 scopeid 0xc
        inet 212.38.147.97> 212.38.128.104 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns2 prefixlen 64 scopeid 0xd
        inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 15674
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns1 prefixlen 64 scopeid 0xe
        inet 10.0.40.1 --> 10.0.40.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 18811
ovpns4: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns4 prefixlen 64 scopeid 0xf
        inet 10.0.41.1 --> 10.0.41.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 21430
ovpns6: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns6 prefixlen 64 scopeid 0x10
        inet 10.0.42.1 --> 10.0.42.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 24555
ovpns7: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns7 prefixlen 64 scopeid 0x11
        inet 10.0.43.1 --> 10.0.43.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 27613
ovpns8: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns8 prefixlen 64 scopeid 0x12
        inet 10.0.44.1 --> 10.0.44.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 30564
ovpns5: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns5 prefixlen 64 scopeid 0x13
        inet 10.0.45.1 --> 10.0.45.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 33576
ovpns9: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns9 prefixlen 64 scopeid 0x14
        inet 10.0.46.1 --> 10.0.46.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 36042
ovpns10: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns10 prefixlen 64 scopeid 0x15
        inet 10.0.47.1 --> 10.0.47.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 39914
ovpns12: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns12 prefixlen 64 scopeid 0x16
        inet 10.0.49.1 --> 10.0.49.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 46414
ovpns3: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
        options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns3 prefixlen 64 scopeid 0x17
        inet 10.0.1.1 --> 10.0.1.2 netmask 0xffffffff
        nd6 options=43 <performnud,accept_rtadv>Opened by PID 54366
pptpd0: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
        inet6 fe80::214:d1ff:fe1a:57a5%pptpd0 prefixlen 64 scopeid 0x18
        nd6 options=43 <performnud,accept_rtadv>pptpd1: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
        inet6 fe80::214:d1ff:fe1a:57a5%pptpd1 prefixlen 64 scopeid 0x19
        nd6 options=43 <performnud,accept_rtadv>pptpd2: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd3: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd4: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd5: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd6: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd7: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd8: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd9: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd10: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd11: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd12: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd13: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd14: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
pptpd15: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500

-------------------------------------</pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,linkstate></up,broadcast,running,simplex,multicast></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

wallabybob

Thanks for the additional information. There is nothing there that I think explains what you are seeing.

Does the web server on the orange network log access attempts? Do the access attempts appear there?

Have you used packet capture on the web server to verify the access attempts arrive there and appropriate response is generated?

stephenw10

This looks bad:

re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
        inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

Steve

wallabybob

@stephenw10:

This looks bad:

re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
        inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

Why do you say it looks bad? The network has been referred to as 192.168.1.x which suggests it might have been meant to have a netmask of 24 bits rather than 22.

@stephenw10:

Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

Good question, but the posted rule set should allow web access from LAN to 10.0.0.2.

stephenw10

You're right in both cases. I didn't think through that subnet.
These things together though seem to indicate this box may be quite far from default.  Assume nothing!  ;)

Steve

wallabybob

@stephenw10:

These things together though seem to indicate this box may be quite far from default.  Assume nothing!  ;)

Agreed. I have been suspicious of "I didn't change anything" since dealing with someone complaining two program runs with the some data gave different results. How could this be? Some digging around turned up the "insignificant" fact that the data was on punched cards (who remembers them?) and the deck of cards had been dropped on the floor. "same data" sure - but "randomised".

hossam.khalili

thanks for everyone,
but i didn't get the answer for my Question, what should i do now!!

please help.

thanks.

stephenw10

You could answer the various questions above.  ;)

This should work without any special configuration. There are (at least) two reasons why it might not work:
1. The firewall is blocking the connection. This should be allowed by the pfSense by default. It looks like it should work with your existing rules too. However I see you have removed the 'default LAN to any' firewall rule. Why have you done that?

2. There is some routing problem preventing traffic either reaching the server or replies from reaching you. Again this should work by default. We spotted that your LAN appears to be a /22 subnet, is that deliberate or a config error?

Have you changed anything else in the box, like added manual routes or gateways?

Steve

hossam.khalili

thanks Steve for reply,
Actually, "Default LAN to any" is a rule i made it, then i removed it and create what I attached on the last image.

but i agree with the second reason, how can i fix "Routing problem preventing traffic"?, cause if i change my IP to 192.168.3.x/24 i can access the website.

Thanks Again.
:)

stephenw10

Ah, then I suggest you have a subnet mismatch somewhere.
Do you mean if you change the IP on your client to a static 192.168.3.X/24?

Did you intend to have the /22 subnet on the pfSense LAN interface?

Steve

hossam.khalili

Steve thanks for reply,
yes, if i change any client to 192.168.3.x/24 the website browsing

no problem, regardless of subnet if changing the subnet will fix the problem, show me how can i do it
thanks.