CentOS cant' get out, everything else can
Not sure if this is a routing issue or a firewall issue, or maybe a problem with the ifcfg-file of the CentOS machine. Here is the situation. I just got a 600Mb fiber connection from my ISP into the office. We had been using a Peplink Multi Wan router but the max throughput on the WAN was 100Mb and so it was suggested we use an extra PC with GB NIC and pfSense.
I got it setup yesterday with the latest version, and after some issues setting up port forwarding (turns out I was accepting traffic on an IP that was part of a different gateway than the regular one which confused it). Everything seems to be working except for my office dev server can't get out of the office.
I can SSH in, it can see every other device on the local network, but can't ping 184.108.40.206 from the CentOS machine. It has 2 1Gb NICs bonded to
bond0In the router I have a rule setup to forward all external traffic from all IP's on the WAN device to this IP. It also has a NAT 1:1 secondary IP setup to forward to IP 192.168.1.25.
Here is my ifcfg-bond0:0 file
DEVICE=bond0:0 TYPE=bond BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.25 NETWORK=192.168.1.0 NETMASK=255.255.255.0 BROADCAST=192.168.1.255 GATEWAY=192.168.1.1 USERCTL=no DEFROUTE=yes NM_CONTROLLED=no IPV6INIT=no DNS1=220.127.116.11 PEERDNS=yes
I tried setting up ifcfg-bond0:1 to try using another IP that wasn't part of the NAT rules, tried configuring different gateways and netmasks and even tried setting it up for one of our extra external IP addresses. I wasn't sure if that could get through the pfSense firewall - doesn't look like it. There is probably a way to set that up but I only have 24 hours using the service so maybe later I can set that up.
Under my LAN config page, I have
IPv4 Upstream Gatewayset to none, which works fine for all the Windows / OSX machines on the network.
Any tips would be appreciated.
What makes you think it is a CentOS problem? The server was working fine before I swapped routers. I am not saying you are wrong, but I am wondering why you think that is where I should start instead of here?
CentOS is a fairly major release used for many many many servers sitting behind pfsense.
I'm pretty sure if it were a problem with pfsense discriminating against centos there would be alot of loud crying from lots of people.
Can you post screen shots of your firewall rules and the other firewall configurations you made?
If you have only one static public IP address, you don't need 1:1 NAT. Simple port forwarding should do the trick, no need to tweak outbound NAT rules. However, screen shots go a long way.
I wasn't thinking it was being singled out, I was providing OS info since there are more things that are possible to configure in linux than Windows, there is more opportunity for configuration error in the CentOS config, but more importantly the reason I am asking here is because I don't know if setting up the NAT 1:1, port forwarding and so on to this server has affected it's ability to exit the network.
I didn't know if I need to setup specific rules now to allow this server out now that it is setup to accept incoming traffic, which could be setup by default as a security measure for reasons I am not familiar with at this time.
I have 5 public IP addresses to forward to several internal servers, and to allow the same server to host multiple services with conflicting ports.
The x.x.5.242 is outside of your x.x.5.227/29 range. Is this the correct range that you defined in the WAN interface?
In your NAT/Firewall rules choose one external IP address and map a single port, l Ike 80, to. Your centos server. Then you can see if port 80 is coming into the server from the firewall. You have a ton of ports open that don't need to be open. More open ports = more open attack vectors. Something to consider.
I usually start simple. Clear everything out or factory reset. Open port 80 from the NAT and use WAN address as the destination and let it create a FW rule automatically for you. See if that works. That should be your baseline. Then create one virtual IP. Create a NAT using the virtual IP address as the destination for port 80 again. See if that works. The rules that are created should serve as a template for each additional port you need to open and each virtual ip you create.
Also. Erich that you've got your WAN interface configured properly.
I just got the new IPs on Monday and so the XX.242 address was what I had been using in my DNS settings for the domains coming here. I switched all the domains to point to the XX.227 address today and should be able to abandon that setting soon - if not now.
The port forwarding is working properly, I can access the server from my cell phone on 4G, I just can't get out. I can reset the router to factory default this evening after all the employees leave if I can't get it working before that.
Well, that's half the battle. Backup your settings before you reset so you don't have to reprogram everything if you don't have to.
If you go with a factory reset and configure your LAN/WAN for basic connectivity and every other device except the centos box can get out, then you have an issue on your centos box, imho. Check with a trace route and the firewall logs to see where traffic is getting stuck between the centos box and pfsense. If you have a smart switch, even better.
Best of luck, hope it's a simple resolution.
I made a little progress. I switched the machine from a static IP to DHCP and it worked. I rebooted to clear out any old info, set it back to static and it still cant' get out. Is there anything on the pfSense that handles the traffic differently if it is set statically? The DHCP address was 192.168.1.156 so I know there wasn't any firewall / forwarding rules being applied.
Shouldn't be. There might be some voodoo in the CentOS box that is wonky.
Possibly a subnet/DNS/anything else related issue with the network settings on that box. Any luck with a trace route or weird stuff not he pfSense FW logs?
I cheated to fix this, sorry guys. I just plugged the 2nd ethernet port into the switch and set it to DHCP.
I know this isn't a Centos forum, but have you checked to see if your SELinux settings might be getting in the way? The file is located here: /etc/sysconfig/selinux. If the SELINUXTYPE is set to 'enforcing', try changing this to 'permissive' or 'disabled' if you're feeling confident. SELinux has tripped me up many a time when trying to make system changes.
Yeah - Often using DHCP and just telling pfsense to allocate a certain IP to a certain MAC is easiest.
Its pretty easy to screw up static IP with centos.