Comcast - One Dynamic IP - Five Servers
-
Hi All,
I lost my free space and block of static ip addresses at a Data Center. Boo hoo. Buy me a beer and I'll tell you about it.
Anyhow, now I have moved server to home, hooked it up to Comcast, and have a confirmed connection. I am not having luck forwarding traffic to my various servers. In fact, I can't get even one to work. I can get to my pfSense firewall from WAN and can get to all of my servers while inside LAN. I have the DDNS thing down and working.
I have tried to pass all email ports to my email server. I know this is crude but I just want to see it work. I can't get to email server from WAN but have confirmed that it can see the Internet and that is is accessible over LAN. Any ideas on that one?
Looks like I'll have to get up to speed on a reverse proxy in order to direct traffic various servers. Will Squid do this for me? Or should I investigate using the Apache Package that looks kind of sketchy due to it being Alpha? Can you point me to a good link that will help me figure this out. I thought I was good with pfSense but having that block of static ip's makes it kind of simple compared to what I am working with now.
Thanks!
JCU -
Are you testing them from outside your network? Or from other box on your lan trying to hit your public IP? If you want that to work then you need to enable nat reflection.
So your going to run your severs off a home connection? Comcast home connections are listed as residential and your not going to be sending mail to lots of the main players… if that is your plan?
-
Thanks for response.
I am only using email server for personal reasons. Not spamming anybody. Maybe 10 accounts with one hundred transactions per day. I chose my email server as an example.
I have played with squid some. Sort of got things to work.
Looks Squid, Apache, and Varnish packages have the ability to do this.
Which would be best for me? All I care to do is make my one IP serve 5 severs behind the firewall.
-
You missed the point being made about having an IP address that belongs to a well defined group comprising residential cable, dialup, and DSL IPs.
One such list is the DUL http://www.sorbs.net/delisting/dul.shtml
Many independent mail server operators and ISP mail servers routinely block such IPs on their mail servers.
If you find your mail being rejected, that is a likely reason. It has nothing to do with the content of the mail being spam.
It has everything to do with having an IP address owned by an ISP that by policy prohibits running servers on their residential connections and has thus had those addressees included in such blacklists.
-
Thanks gderf. I will investigate that one.
Remember though, I chose my email server as an example. I can't get my web server to serve up pages either.
Comcast may be my problem eventually but I can't even get a simple request for a web page to work.
Still, I will check with comcast.
-
Spoke with Comcast. There are no restrictions regarding using an email server or any other server or service.
-
My comment wasn't related to your general server connectivity problems. It was solely limited to what can happen to direct MX email leaving an IP address belonging to such a blacklist.
From a connectivity standpoint, in my area, Comcast has blocked all outbound IPv4 traffic to TCP port 25. I do not know if inbound TCP port 25 traffic is blocked or not, but that really doesn't matter much if outbound is blocked. Not a big swinger yet, but IPv6 outbound to TCP port 25 still works. I suspect this is an oversight and will eventually be closed off as well.
For a list of Comcast residential service blocked ports see:
http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
-
Spoke with Comcast. There are no restrictions regarding using an email server or any other server or service.
If you are on Comcast residential service, then the person you spoke to is completely misinformed. It is their policy to not allow email servers on residential accounts and this has been recently become enforced via technical means. You may be able to obtain an exemption, but you have to ask for this.
You can verify if outbound TCP port 25 blocking is in effect for you by telnetting to any MX host on port 25.
Telnetting to one of Comcast's will yield the following or similar banner if blocking is in effect:
554 omta15.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com
/help-and-support/internet/email-client-programs-with-xfinity-email/Telnetting elsewhere yields a hung connection unless you have IPv6 enabled and the server you are trying to connect to does also.
-
Are you on comcast home account or business connection.
Lets forget the email portion for a bit, so your saying you can not do a simple nat? Its like 1 click, you create nat to the port and IP you want on your lan. It creates the inbound rule for you.
Are you saying this is not working - or are you trying to base your inbound on host headers, ie your public IP lets call it 1.2.3.4 points to www.domainA.tld and www.domainB.tld also points to 1.2.3.4
You want the user if going to www.domainA.tld to be sent to 192.168.1.101 on port 80, and if going to www.domainB.tld to go to 192.168.1.102 ?
Or your saying you can not get http inbound at all - so I go to 1.2.3.4 from outside in my browser and you have nat to for http to go to 192.168.1.103 – this is not working? How are you testing it, from a box on 192.168.1.x going to 1.2.3.4 or from outside say 6.7.8.9 going to 1.2.3.4??
I would say verify you can get simple http forward working first before you play with a reverse proxy setup. Which is the only way your going to be able to make inbound go to different private ips based up the fqdn used to access your public IP.
What is pfsense connected to on its wan? A modem or some gateway device? So your IP on pfsense wan is public!! not 192.168.x.x or 172.16-31.x.x or 10.x.x.x?
-
Thanks to all. Read your links. Looks like port 25 and 110 will be an issue. I'll deal with that.
I am able to port forward with the NAT to ONE server. But that is not going to work when I use several servers that listen on the same port. That is the crux of my problem.
Looks like a revers proxy will know how to sort out the traffic and rout it based on the header info in the packets.
So, as this is all I need, which would serve my purpose best? Varnish, Squid, Apache, or a different package?
I have one web server that hosts skygizmo.com. I have a second that hosts WhatEver.com. One is at LAN 10.0.0.10. The other is at LAN 10.0.0.11.
What is the best way to get requests to go to the right server when I have only one public ip?
Ignore email example. I though it was a simple thing but email is not going to be, maybe. Just focus on dealing with the how one public ip can be routed the right server behind my firewall.
-
I have switched to Comcast business and obtained 5 static ips.
Thanks to all for help. I'll ask here first what Comcast policies are before I ask Comcast!!!!!
Thanks again to all for putting up with my ignorance. pfSense is awesome and so is this forum.
JCU
-
If you have Comcast Business Class Service there is no restriction on running servers and port 25 is not blocked. There are still some closed ports though,
http://businesshelp.comcast.com/help-and-support/internet/ports-blocked-by-business-class-internet/
-
Thanks. I'll check out the link.