Problem with Browsing my website

wallabybob · Apr 15, 2013, 11:52 AM

Thanks for the additional information. There is nothing there that I think explains what you are seeing.

Does the web server on the orange network log access attempts? Do the access attempts appear there?

Have you used packet capture on the web server to verify the access attempts arrive there and appropriate response is generated?

stephenw10 · Apr 15, 2013, 1:25 PM

This looks bad:

re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

Steve

wallabybob · Apr 15, 2013, 9:24 PM

@stephenw10:

This looks bad:

re2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:1a:53:c7
inet 192.168.1.101 netmask 0xfffffc00 broadcast 192.168.3.255
inet6 fe80::214:d1ff:fe1a:53c7%re2 prefixlen 64 scopeid 0x3
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast>

Why do you say it looks bad? The network has been referred to as 192.168.1.x which suggests it might have been meant to have a netmask of 24 bits rather than 22.

@stephenw10:

Also I see you have removed the 'default LAN to any' rule. Any reason you did that?

Good question, but the posted rule set should allow web access from LAN to 10.0.0.2.

stephenw10 · Apr 16, 2013, 1:08 AM

You're right in both cases. I didn't think through that subnet.
These things together though seem to indicate this box may be quite far from default. Assume nothing! ;)

Steve

wallabybob · Apr 16, 2013, 9:26 AM

@stephenw10:

These things together though seem to indicate this box may be quite far from default. Assume nothing! ;)

Agreed. I have been suspicious of "I didn't change anything" since dealing with someone complaining two program runs with the some data gave different results. How could this be? Some digging around turned up the "insignificant" fact that the data was on punched cards (who remembers them?) and the deck of cards had been dropped on the floor. "same data" sure - but "randomised".

hossam.khalili · Apr 17, 2013, 6:59 AM

thanks for everyone,
but i didn't get the answer for my Question, what should i do now!!

please help.

thanks.

stephenw10 · Apr 17, 2013, 8:30 AM

You could answer the various questions above. ;)

This should work without any special configuration. There are (at least) two reasons why it might not work:
1. The firewall is blocking the connection. This should be allowed by the pfSense by default. It looks like it should work with your existing rules too. However I see you have removed the 'default LAN to any' firewall rule. Why have you done that?

2. There is some routing problem preventing traffic either reaching the server or replies from reaching you. Again this should work by default. We spotted that your LAN appears to be a /22 subnet, is that deliberate or a config error?

Have you changed anything else in the box, like added manual routes or gateways?

Steve

hossam.khalili · Apr 17, 2013, 12:57 PM

thanks Steve for reply,
Actually, "Default LAN to any" is a rule i made it, then i removed it and create what I attached on the last image.

but i agree with the second reason, how can i fix "Routing problem preventing traffic"?, cause if i change my IP to 192.168.3.x/24 i can access the website.

Thanks Again.
:)

stephenw10 · Apr 17, 2013, 1:47 PM

Ah, then I suggest you have a subnet mismatch somewhere.
Do you mean if you change the IP on your client to a static 192.168.3.X/24?

Did you intend to have the /22 subnet on the pfSense LAN interface?

Steve

hossam.khalili · Apr 17, 2013, 7:55 PM

Steve thanks for reply,
yes, if i change any client to 192.168.3.x/24 the website browsing

no problem, regardless of subnet if changing the subnet will fix the problem, show me how can i do it
thanks.