Virtual IP 1:1 setup stopped routing https traffic ["Solved"]



  • Maybe someone can help shed some light on a problem I'm having…

    I have 3 static IPs from our ISP, with the modem in bridged mode.

    The router is configured with "x.x.x.131" as its WAN IP.  I've added 2 virtual IPs of type "IP Alias" to the WAN interface, with IPs "x.x.x.132", "x.x.x.133".

    I have them both configured with 1:1 NAT to internal web server IP addresses.

    Firewalls rules are in place to allow HTTPS traffic from : to the internal IP addresses of the web servers.

    This was all working for the last month or more without any problems.

    As of last night, remote access of the web services has completely gone away.  I've checked all the logs I can find, nobody logged into the router, no changes were made, no power was cycled, etc.

    I've rebooted to router, and I've looked a bit at firewall logs, but I'm at a loss of what could be causing the lack of connectivity to the outside world.

    I can ping each of the external IPs without any problem.  Interestingly, I can access the https service on the "Real" IP from the LAN, but true external users cannot.  Maybe this is a clue to what is wrong, but I'm not making the connection. :(

    Can someone kindly help me troubleshoot this issue?

    (1:1 and Rules Attached, pfSense Version 2.1-RELEASE (amd64) )

    Thanks.
    ![2014-03-12 10_41_44- Firewall_ NAT_ 1_1.png](/public/imported_attachments/1/2014-03-12 10_41_44- Firewall_ NAT_ 1_1.png)
    ![2014-03-12 10_41_44- Firewall_ NAT_ 1_1.png_thumb](/public/imported_attachments/1/2014-03-12 10_41_44- Firewall_ NAT_ 1_1.png_thumb)
    ![2014-03-12 10_42_11- Firewall_ Rules.png](/public/imported_attachments/1/2014-03-12 10_42_11- Firewall_ Rules.png)
    ![2014-03-12 10_42_11- Firewall_ Rules.png_thumb](/public/imported_attachments/1/2014-03-12 10_42_11- Firewall_ Rules.png_thumb)
    ![2014-03-12 10_51_03-- Firewall_ Virtual IP Addresses.png](/public/imported_attachments/1/2014-03-12 10_51_03-- Firewall_ Virtual IP Addresses.png)
    ![2014-03-12 10_51_03-- Firewall_ Virtual IP Addresses.png_thumb](/public/imported_attachments/1/2014-03-12 10_51_03-- Firewall_ Virtual IP Addresses.png_thumb)



  • Unless you have port forward rules, which are not listed, 192.168.1.102 should not be externally visible.
    As far as the other 2, please check the default gateway on the webservers to make sure they are pointing to your pfSense machine.



  • Thanks for the suggestions.  I accidentally left the NAT port forward rules off the screenshots, but here is the one that handles the web server behind the non-virtual IP.

    My understanding is that on the non-virtual IP, I can get away with a standard port forward as done in the screenshot attached on this post.

    The other two private 1:1 NAT entries act as a "DMZ" host of sorts, forwarding every port on the VIP to the private IP in the 1:1 configuration.  Then, it is up to the firewall to block off everything except the ports that I want to be forwarded.

    Did I miss anything?  This was working, then just crapped out :(

    If I don't have any other things I can try easily, I may restore from backup during off-hours and re-config back to this point, or just start fresh in general.  I had squid set up as reverse proxy before this, but the service is stopped.  Ahh, just checked, it is back!  Maybe that has something to do with it, but I stopped it earlier and it did not help.  I'll uninstall that.

    ![2014-03-12 13_00_16 - Firewall_ NAT_ Port Forward.png](/public/imported_attachments/1/2014-03-12 13_00_16 - Firewall_ NAT_ Port Forward.png)
    ![2014-03-12 13_00_16 - Firewall_ NAT_ Port Forward.png_thumb](/public/imported_attachments/1/2014-03-12 13_00_16 - Firewall_ NAT_ Port Forward.png_thumb)



  • Removing squid did not help, I was worried it was binding to 443, but no.

    The web server's gateway is 192.168.1.1, and can ping out to internet and such, and works great on local ip over LAN, so I can't imagine it is to blame…

    Checking the web server helped though.  Apparently it rebooted at 6AM for windows updates.  POS.  I imagine I've just been barking up the wrong tree.

    Something must be going on where it is refusing web source traffic or something, though I haven't a clue what it could be.

    I apologize for leaving out the part that the 3 web servers are actually 3 windows virtual IP's on a single box, with 3 apache instances.  I left that out because I did not want to over complicate the system description, but it seems maybe that was relevant in understanding that the web server is a single point of failure.

    Anyway, thanks for the help.  I'll mark this solved for now and update what happened once I get it figured out.



  • Well, back to confused all over again.

    I've pointed one of the VIPs to a barren apache instance on another machine that is serving on port 80.  I'm getting nothing :(

    Doing a "Port Test" from pfSense to my LAN server from LAN source works, but WAN source does not.  This implies firewall to me, not NAT, correct?  The thing is, my rules look just like they always did.

    Any other ideas welcome.  Thanks.



  • Well, hell.  Now it is working, and I have no idea what actually changed to make it work.  My metric for determining if it was fixed is flawed, for some reason I still get nothing from inside the LAN when using 4.2.2.2 DNS, but that is okay, it is working for external users.  Hopefully this was a one time deal, but problems that have no known solution always come back.



  • If you are thinking you can test it from within the LAN network. There is your flaw. For the most part this doesn't work without NAT reflection. Generally, this is used for port forwards and not 1:1. I used split DNS so that LAN users get the internal IP and external users get the external IP.
    This gets around the NAT reflection and to me is much faster since I am shaping traffic that goes through the firewall.
    If its working for external, great. If you want a little more test from outside, PM me and I can open up the sites behind and let you know if its working.



  • Thanks for the offer of testing, I had some friends on gchat testing throughout the day.  I may have nailed it with the squid problem, for some reason the service kept starting, even though the service watchdog was off, and the reverse-proxy was disabled.  Maybe not, but I'll leave it until it breaks again.  At least we only have 1 or 2 people off site that use these services, and VPN did not go down so they just had to connect.

    Thanks again for the help.



  • I may have nailed it with the squid problem, for some reason the service kept starting, even though the service watchdog was off, and the reverse-proxy was disabled.

    For the benefit of other readers, the squid package includes a separate process "sqpmon" (SQuid Process MONitor) that checks if squid is running or not, and starts it if it has died. https://github.com/pfsense/pfsense-packages/blob/master/config/squid/sqpmon.sh
    If you want to manually stop squid for a while, you need to kill sqpmon also, otherwise squid will come back.



  • Thanks phil, I was not aware of that.

    I am thinking squid was not the problem anyway, as I had the reverse proxy turned off, and I don't think the web cache part of squid binds to an http port, but I could be wrong on that.

    My web services are still up, I don't have a clue what happened.


Log in to reply