Web Server not allowing external visitors
Hi, Subject says it all really, what good is a website if only I can view it? Ok, brief history of problem and setup details, I'm sure I'll leave something out you need. I had 3 computers all run MS and Apache2 Web Server was on the main one connecting to the net via ADSL and using dyndns.org client to update the dynamic IP address. No probs. I then decide to change my setup and add a FreeBSD Router/Firewall .and. a separate (NT) Web Server. I installed my dns update client onto the new web server , enabled NATd (am connected via PPPoA/E) , enabled port_forward tcp rules on port 80 to point to this Web Server machine. I also tried IPFW rules etc etc and could not get the outside world to connect. I thought I would instead put the Web Server (until I know better) onto the FreeBSD router machine. Still no go, All my internal machines can - by typing in the registered domain names, access the web server ok, the Apache Test page comes up ok. So by typing in www:mysite:com I get the sites ok. This I don't really understand. Surely my other computers must be going to the external www , getting the domain name resolved, getting the dynamic IP address allocated to me , and then coming back to my FreeBSD router where it gets served the web site. So why can't anyone else now access it.?? I'd love to give you a url to test it but this is a public forum and my router is still not very secure at the moment, however I do have trusted people testing it for me regularly. Now , settings I think of relevance (having tried all sorts of setups using different techniques , I may have mixed up some settings and probably have a cocktail of settings) are (syntax copied exactly) :- in /etc/rc.conf. ppp_nat=YES defaultrouter=NO firewall_enable=YES firewall_type=OPEN // (Yes I know but whilst testing!) natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/natd.conf #hostname=mydomain // I left this commented out for now ? There are other settings in this file of course but felt only the above relevant to this post. in /etc/natd.conf. interface tun0 dynamic yes in /etc/resolv.conf domain mydomain.com nameserver 11.2.333.44 nameserver 11.2.333.55 //above values changed! in /etc/rc.firewall /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via tun0 /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80 /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80 /sbin/ipfw add divert natd tcp from 192.168.2.1 80 to any /sbin/ipfw add pass all from any to any // temporary measure again. // 192.168.0.2 is on ed0 card going to internal network //192.168.2.1 is on ed2 card going to another network (eventually web server proper) At this point I'd like to mention something in my ifconfig readout. Now, ed0 ed2 lp0 ppp0 seem to me to be fine (and must be if internal network can browse internet etc) tun0 , although above suggests it is working fine , gives me an unusual alias address. :- tun0: flags=8051(UP,POINTTOPOINT,RUNNING,MULTICAST mtu 1500 inet 14x1xx.xxx.xxx -- 172.31.22.152 netmask 0xff00. Ok, I've masked my ISP assig ed IP address for now as it is semi-permanent, but why has it aliased with a Class C internal IP address, when all my network is Class B 192.x.x.x addresses , can this be the cause of why external visitors can not access my sites.??? What other information do you need ??? Thanks in advance , speedy help is appreciated as a family member has trusted me to host his personal website and he cant get on it :( Gav... --- Checked for Viruses (Viri) , Gav... Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Web Server not allowing external visitors
| First of all you have two different nats running. The ppp_nat=YES | option says use nat function of pppd and natd_enable=YES says to | use NATD function of firewall. So you have nated your private lan ip | address 2 times which is a user config error. You need option | gateway_enable=YES to pass packets to lan. I would comment out to | disable the firewall options until you have thinks working and them | add firewall. To many things happening and you do not know who is at | fault so limit testing to one thing at time. With apache server on | gateway box you do not need port 80 forwarding. | | | in /etc/rc.conf. | | ppp_nat=YES | gateway_enable=YES | defaultrouter=NO | | #firewall_enable=YES | #firewall_type=OPEN // (Yes I know but whilst testing!) | #natd_enable=YES | #natd_interface=tun0 | #natd_flags=-f /etc/natd.conf | | Ok, I did all this and lost all access to the internet from the other LAN computers. - even with firewall disabled, ipfw is not letting anything through. It seems maybe that ppp_nat is not working or not fully configured, what are all the files and options I need to change for this to work properly? When I boot the computer, the ADSL Modem automatically dials my ISP and connects fine, but then to gain access to the internet properly I have to do this: killall natd killall ppp ppp -background adsl natd -dynamic -n tun0 I can then access the internet fine - without the natd line I can not access the internet, I tried without this line. So maybe a bit more firewall and natd config is required I dont know.? As the Web Server at the moment then is on my FreeBSD machine I do not need any kind of port forwarding, but maybe I still need to more IPFW rules? At the moment one tester has reported that he is getting the following:- 'Gateway Timeout ' error A gateway timeout error has occured.The Server is unreachable, please retry the request. (GATEWAY_TIMEOUT) Please contact the Administrator. Any ideas, thanks for all the help so far. Gav... (Original message left intact for now for those that missed it first time) | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] Behalf Of Gav | Sent: Tuesday, June 24, 2003 9:59 AM | To: [EMAIL PROTECTED] | Subject: Web Server not allowing external visitors | | Hi, | | Subject says it all really, what good is a website if only I can | view it? | | Ok, brief history of problem and setup details, I'm sure I'll leave | something out you need. | | I had 3 computers all run MS and Apache2 Web Server was on the main | one | connecting to the net via ADSL and using dyndns.org client to update | the | dynamic IP address. No probs. | | I then decide to change my setup and add a FreeBSD Router/Firewall | .and. a | separate (NT) Web Server. | I installed my dns update client onto the new web server , enabled | NATd (am | connected via PPPoA/E) , enabled port_forward tcp rules on port 80 | to point | to this Web Server machine. I also tried IPFW rules etc etc and | could not | get the outside world to connect. I thought I would instead put the | Web | Server (until I know better) onto the FreeBSD router machine. | | Still no go, All my internal machines can - by typing in the | registered | domain names, access the web server ok, the Apache Test page comes | up ok. So | by typing in www:mysite:com I get the sites ok. This I don't really | understand. Surely my other computers must be going to the external | www , | getting the domain name resolved, getting the dynamic IP address | allocated | to me , and then coming back to my FreeBSD router where it gets | served the | web site. So why can't anyone else now access it.?? | | I'd love to give you a url to test it but this is a public forum and | my | router is still not very secure at the moment, however I do have | trusted | people testing it for me regularly. | | Now , settings I think of relevance (having tried all sorts of | setups using | different techniques , I may have mixed up some settings and | probably have a | cocktail of settings) are (syntax copied exactly) :- | | in /etc/rc.conf. | | ppp_nat=YES | defaultrouter=NO | firewall_enable=YES | firewall_type=OPEN // (Yes I know but whilst testing!) | natd_enable=YES | natd_interface=tun0 | natd_flags=-f /etc/natd.conf | #hostname=mydomain // I left this commented out for now ? | | There are other settings in this file of course but felt only the | above | relevant to this post. | | in /etc/natd.conf. | | interface tun0 | dynamic yes | | in /etc/resolv.conf | | domain mydomain.com | nameserver 11.2.333.44 | nameserver 11.2.333.55 | | //above values changed! | | in /etc/rc.firewall | | /sbin/ipfw -f flush | /sbin/ipfw add divert natd all from any to any via tun0 | /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any | /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80 | /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80 | /sbin/ipfw add divert natd tcp from 192.168.2.1 80
