Problem with Browsing my website



  • Hello there,

    the IP Address for my website is 10.0.0.2 with gateway 10.0.0.1
    my workstation on the company 192.168.0.0 gateway 192.168.1.101

    i can browse 10.0.0.1 the gateway and open the webpage for the pfsense, but I can't browse my website 10.0.0.2 from the workstation

    How can I make the workstation browsing the website without making bridge between the LAN's

    please help,
    thanks.



  • I presume @hossam.khalili:

    How can I make the workstation browsing the website without making bridge between the LAN's

    Please help by providing additional information.
    What is the name of the pfSense interface on the 192.168.1.x network?
    What is the name of the pfSense interface on the 10.0.0.x network?
    Do you have the default firewall rules?
    What does the browser report on attempting to access the web site? What URL do you use?
    Does your access attempt appear in the pfSense firewall log (Status -> System Logs, click on Firewall tab)?



  • thanks for reply,

    the name of 192.168.1.x LAN
    the name of 10.0.0.x Orange
    and i use the default firewall rules
    no it's not appear on firewall log 
    and this's the message when browse it from google chrome "Network Error (tcp_error)

    A communication error occurred: "" 
    The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.

    For assistance, contact your network support team.

    thanks



  • Default firewall rules allow all accesses arriving on LAN interface and block all accesses arriving on other interfaces. Your web browser access to server n Orange interface should be allowed by firewall rules. Perhaps the Orange interface is not in the correct state. What is the output of pfSense shell commands:```
    /etc/rc.banner ; ifconfig


  • LAYER 8 Global Moderator

    "and i use the default firewall rules"

    When you create a new interface (opt1) and give it a name - it does not get any default rules like the lan interface gets.  you will have to create the firewall rules you want traffic coming into this interface to be able to do.

    If you want it to be able to access your lan network 192.168.1.x then you will have to create that rule on the orange interface rules.



  • @johnpoz:

    If you want it to be able to access your lan network 192.168.1.x then you will have to create that rule on the orange interface rules.

    Original post said there was problem accessing website on the orange network from LAN. That should be allowed by default rules.



  • thank you everyone for reply,

    until i can't fix the problem, i attached images for my LAN 192.168.1.x and the orange 10.0.0.2 rules i think that will be help

    thanks a lot.


  • Netgate Administrator

    I don't see any attached images.  :-\

    Please post the output of the commands Wallabybob asked for above.

    How are you trying to access the website, by URL or by IP?

    Steve



  • Sorry
    this's the attached Image.
    I tried by URL and by IP.
    thanks






  • and this the output from the shell commands:
    /etc/rc.banner ; ifconfig

    –-----------------
    *** Welcome to pfSense 2.0.2-RELEASE-pfSense (i386) on jrcfw01 ***

    LAN (lan)                -> re2        -> 192.168.1.101
      WAN (wan)                -> pppoe0    -> 212.38.147.97 (PPPoE)
      ORANGE (opt1)            -> re1        -> 10.0.0.1
      BLUE (opt2)              -> re0        -> 172.192.1.1
      WAN2 (opt3)              -> nfe1      -> NONE (DHCP)re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:57:a5
            inet 172.192.1.1 netmask 0xffffff00 broadcast 172.192.1.255
            inet6 fe80::214:d1ff:fe1a:57a5%re0 prefixlen 64 scopeid 0x1
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:58:ee
            inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
            inet6 fe80::214:d1ff:fe1a:58ee%re1 prefixlen 64 scopeid 0x2
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
            inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
            inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    fwe0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 02:11:d8:60:bd:9d
            ch 1 dma -1
    fwip0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            lladdr 0.11.d8.0.1.60.bd.9d.a.2.ff.fe.0.0.0.0
    nfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,linkstate>ether 00:1b:fc:d8:b3:cd
            inet6 fe80::21b:fcff:fed8:b3cd%nfe0 prefixlen 64 scopeid 0x6
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    nfe1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether 00:1b:fc:d8:b7:00
            inet6 fe80::21b:fcff:fed8:b700%nfe1 prefixlen 64 scopeid 0x7
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
            status: no carrier
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    pflog0: flags=100 <promisc>metric 0 mtu 33200
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb
            nd6 options=43 <performnud,accept_rtadv>pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1454
            inet6 fe80::214:d1ff:fe1a:57a5%pppoe0 prefixlen 64 scopeid 0xc
            inet 212.38.147.97> 212.38.128.104 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns2 prefixlen 64 scopeid 0xd
            inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 15674
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns1 prefixlen 64 scopeid 0xe
            inet 10.0.40.1 --> 10.0.40.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 18811
    ovpns4: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns4 prefixlen 64 scopeid 0xf
            inet 10.0.41.1 --> 10.0.41.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 21430
    ovpns6: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns6 prefixlen 64 scopeid 0x10
            inet 10.0.42.1 --> 10.0.42.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 24555
    ovpns7: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns7 prefixlen 64 scopeid 0x11
            inet 10.0.43.1 --> 10.0.43.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 27613
    ovpns8: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns8 prefixlen 64 scopeid 0x12
            inet 10.0.44.1 --> 10.0.44.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 30564
    ovpns5: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns5 prefixlen 64 scopeid 0x13
            inet 10.0.45.1 --> 10.0.45.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 33576
    ovpns9: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns9 prefixlen 64 scopeid 0x14
            inet 10.0.46.1 --> 10.0.46.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 36042
    ovpns10: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns10 prefixlen 64 scopeid 0x15
            inet 10.0.47.1 --> 10.0.47.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 39914
    ovpns12: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns12 prefixlen 64 scopeid 0x16
            inet 10.0.49.1 --> 10.0.49.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 46414
    ovpns3: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::214:d1ff:fe1a:57a5%ovpns3 prefixlen 64 scopeid 0x17
            inet 10.0.1.1 --> 10.0.1.2 netmask 0xffffffff
            nd6 options=43 <performnud,accept_rtadv>Opened by PID 54366
    pptpd0: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
            inet6 fe80::214:d1ff:fe1a:57a5%pptpd0 prefixlen 64 scopeid 0x18
            nd6 options=43 <performnud,accept_rtadv>pptpd1: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
            inet6 fe80::214:d1ff:fe1a:57a5%pptpd1 prefixlen 64 scopeid 0x19
            nd6 options=43 <performnud,accept_rtadv>pptpd2: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd3: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd4: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd5: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd6: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd7: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd8: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd9: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd10: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd11: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd12: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd13: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd14: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd15: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500

    -------------------------------------</pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></pointopoint,noarp,simplex,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,linkstate></up,broadcast,running,simplex,multicast></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>



  • Thanks for the additional information. There is nothing there that I think explains what you are seeing.

    Does the web server on the orange network log access attempts? Do the access attempts appear there?

    Have you used packet capture on the web server to verify the access attempts arrive there and appropriate response is generated?


  • Netgate Administrator

    This looks bad:

    re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
            inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
            inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

    Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

    Steve



  • @stephenw10:

    This looks bad:

    re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
            inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
            inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

    Why do you say it looks bad? The network has been referred to as 192.168.1.x which suggests it might have been meant to have a netmask of 24 bits rather than 22.

    @stephenw10:

    Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

    Good question, but the posted rule set should allow web access from LAN to 10.0.0.2.


  • Netgate Administrator

    You're right in both cases. I didn't think through that subnet.
    These things together though seem to indicate this box may be quite far from default.  Assume nothing!  ;)

    Steve



  • @stephenw10:

    These things together though seem to indicate this box may be quite far from default.  Assume nothing!  ;)

    Agreed. I have been suspicious of "I didn't change anything" since dealing with someone complaining two program runs with the some data gave different results. How could this be? Some digging around turned up the "insignificant" fact that the data was on punched cards (who remembers them?) and the deck of cards had been dropped on the floor. "same data" sure - but "randomised".



  • thanks for everyone,
    but i didn't get the answer for my Question, what should i do now!!

    please help.

    thanks.


  • Netgate Administrator

    You could answer the various questions above.  ;)

    This should work without any special configuration. There are (at least) two reasons why it might not work:
    1. The firewall is blocking the connection. This should be allowed by the pfSense by default. It looks like it should work with your existing rules too. However I see you have removed the 'default LAN to any' firewall rule. Why have you done that?

    2. There is some routing problem preventing traffic either reaching the server or replies from reaching you. Again this should work by default. We spotted that your LAN appears to be a /22 subnet, is that deliberate or a config error?

    Have you changed anything else in the box, like added manual routes or gateways?

    Steve



  • thanks Steve for reply,
    Actually, "Default LAN to any" is a rule i made it, then i removed it and create what I attached on the last image.

    but i agree with the second reason, how can i fix "Routing problem preventing traffic"?, cause if i change my IP to 192.168.3.x/24 i can access the website.

    Thanks Again.
    :)


  • Netgate Administrator

    Ah, then I suggest you have a subnet mismatch somewhere.
    Do you mean if you change the IP on your client to a static 192.168.3.X/24?

    Did you intend to have the /22 subnet on the pfSense LAN interface?

    Steve



  • Steve thanks for reply,
    yes, if i change any client to 192.168.3.x/24 the website browsing

    no problem, regardless of subnet if changing the subnet will fix the problem, show me how can i do it
    thanks.


Log in to reply