Port 80 open but can't connect.



  • I have a web server that is under a DMZ, I'm trying to allow connections to it through my public IP but I am not able to connect to it from outside my network (I have reflection enabled for it so I can connect to it locally just fine). Port 80 is open but for some reason once it reaches my firewall nothing works at all, as far as I can tell I have the portforward and rules set up correctly.

    I also have the firewall on the server set to allow everything.

    Here is the result of doing sudo iptables -L on the server:

    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    

    How I want it set up right now is whenever the WAN receives a request with port 80 it should send that request to the internal IP address of the web server on the DMZ. The DMZ should also not be able to access the local networks LAN and WAP but they should have access to the DMZ.

    I have 4 interfaces, WAN, LAN, WAP, and DMZ.

    Here are my configurations for the port forward as well as rules for both the WAN and DMZ.

    WAN
    It is set to block private and bogon networks.

    | Action | ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
    | Pass | | IPv4 TCP | * | * | ubuntu_server | 80 (HTTP) | * | none | | NAT WAN to DMZ GitLab |

    DMZ

    | Action | ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
    | Pass | | IPv4 * | DMZ net | * | ! LAN net | * | * | none | | DMZ to internet and block to LAN |
    | Block | | IPv4 * | * | * | * | * | * | none | | Block all |

    Port Forward
    It is set to create a rule automatically. The only rule I have for WAN aside from the block private and bogon networks.

    | If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports | Description |
    | WAN | TCP | * | * | WAN address | 80 (HTTP) | ubuntu_server | 80 (HTTP) | WAN to DMZ GitLab |

    Here is a traceroute from centralops.net:

    
    hop rtt rtt rtt     ip address          fully qualified domain name
    1   147 0   31      208.101.16.73       208.101.16.73-static.reverse.softlayer.com
    2   0   0   0       66.228.118.153      ae11.dar01.sr01.dal01.networklayer.com
    3   0   0   0       173.192.18.210      ae6.bbr01.eq01.dal03.networklayer.com
    4   0   3   4       75.149.228.33       be-101-pe01.1950stemmons.tx.ibone.comcast.net
    5   3   3   3       68.86.88.197        pos-3-0-0-0-cr01.dallas.tx.ibone.comcast.net
    6   15  16  15      68.86.85.45         he-2-3-0-0-cr01.sacramento.ca.ibone.comcast.net
    7   29  27  27      68.86.90.238        pos-0-10-0-0-ar01.sfsutro.ca.sfba.comcast.net
    8   27  27  27      162.151.39.198
    9   27  27  27      ***.***.***.***     te-6-0-acr03.***.***.***.comcast.net
    10  *   *   *
    11  *   *   *
    12  *   *   *
    13  *   *   *
    
    Trace aborted
    
    

  • LAYER 8 Global Moderator

    Are you behind a nat?  Does your isp block port 80?

    So pfsense wan IP is public?  Not a private behind a router?  Does the traffic get to you - simple packet capture.. Go to canyouseeme.org and does pfsense see the traffic.. example

    23:46:34.157124 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
    23:46:35.153073 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
    23:46:37.157118 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0
    23:46:41.161097 IP 107.20.89.142.55221 > 24.13.xx.xx.80: tcp 0



  • My ISP does not block port 80, I've had a web server working perfectly fine a while ago with a linksys router with the same ISP. And canyouseeme.org does say my ISP is not blocking port 80.

    pfsense is the only router I use aside from a linksys router to provide wireless (it does nothing else), and that is on the WAP interface.

    So traffic should just go from the ISP->modem->pfsense->LAN.

    Heres the packet capture from canyouseeme.org:

    
    23:36:41.988486 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0
    23:36:42.059252 IP 107.20.89.142.80      > ***.***.***.***.24483: tcp 0
    23:36:42.060781 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0
    23:36:42.064901 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 576
    23:36:42.138619 IP 107.20.89.142.42037   > ***.***.***.***.80: tcp 0
    23:36:42.138778 IP ***.***.***.***.80    > 107.20.89.142.42037: tcp 0
    23:36:42.139359 IP 107.20.89.142.80      > ***.***.***.***.24483: tcp 0
    23:36:42.208579 IP 107.20.89.142.42037   > ***.***.***.***.80: tcp 0
    23:36:42.208659 IP 107.20.89.142.42037   > ***.***.***.***.80: tcp 0
    23:36:42.208791 IP ***.***.***.***.80    > 107.20.89.142.42037: tcp 0
    23:36:42.210440 IP 107.20.89.142.80      > ***.***.***.***.24483: tcp 1460
    23:36:42.210554 IP 107.20.89.142.80      > ***.***.***.***.24483: tcp 1193
    23:36:42.210563 IP 107.20.89.142.80      > ***.***.***.***.24483: tcp 0
    23:36:42.212446 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0
    23:36:42.215945 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0
    23:36:42.216814 IP ***.***.***.***.24483 > 107.20.89.142.80: tcp 0
    23:36:42.277628 IP 107.20.89.142.42037   > ***.***.***.***.80: tcp 0
    
    

  • LAYER 8 Global Moderator

    Well now sniff on the lan side do you see the traffic?

    Port forwarding is really click done - that is all there is too it..  if not working you need to figure out where it is not working.. If you see the packets leave the lan for your webserver.. Do you see an answer?

    Your using an alias to resolve your server - maybe that did not resolve correctly? I never understand why not just use the freaking IP so your sure.. Aliases are good for when you have multiple items, a listing, etc.  But for sending to your server?  So sniff - do you see the traffic?  If not change from alias to actual IP of your webserver.



  • Well, everything is working now. Not sure what was going on, it was probably just my noobiness haha.

    The alias was just to help me remember what that IP is going to.

    Thanks for the help johnpoz.


Log in to reply