> -----Original Message----- > OK, the latest steps, I also called Comcast and asked to clear the > ARP entries/table and they were confused, but Level 2 techs knew and > they said call them if I need it done again. > 1. I changed the VIP to a .29 (like my public IP's)
Just checking: do you mean /29 (subnet mask), or .29 (IP address)? > 2. I plugged the NIC in the server that is answering on .27. > 3. I rebooted my cable modem, letting it sit for 60 seconds before > reconnecting power. > 4. I rebooted the pfSense Box > 5. I rebooted the server that hosts what I want to access, only > plugging in the second NIC that has the IP 192.168.1.27. > 6. waited for everything to come up. > 7. If now I try to hit 6colors.net from the LAN (which is where this > server is too) I get forwarded to anhttps://6colors.net:<port> > saying that there is a potential DNS Rebind attack. This tells me there's something wrong with your VIP configuration or your forwarding rules, because that's the pfSense admin interface answering. > 8. if I try and hot from a machine that is not on the LAN I get an > "unable to connect" in a browser. > > 9. I do notice that when I set the NIC in the server to DHCP it gets > an ip of 192.168.1.101, Subnet: 255.255.255.0, Gateway/Broadcast: > 192.168.1.255 and I can SSH in using the .101 IP, the site comes up > when using .101 in a browser too from my laptop that is on the same > LAN. That's fine - that just means the DHCP server is functioning. If you don't want DHCP, disable the service. I generally recommend leaving it enabled and creating a static reservation for your server so that it keeps working even if you accidentally set it to DHCP one day. > but when I manually assign an ip of 192.168.1.27 (to match my public > IP's) subnet of: 255.255.255.248 and a Broadcast of: 192.168.1.31 > (which seems automatic) I cannot SSH into .27 or web, nada. Yes I am > restarting networking, ssh and apache to be sure. This obviously isn't the only issue, but the subnet mask must match the network you're plugged into; if your LAN uses a subnet mask of /24 (255.255.255.0) then every device on it, including the server, must use that same subnet mask. [To the other pedants here: yes, I know this is an overgeneralization.] > when I manually assign an ip of 192.168.1.27 (to match my public > IP's) subnet of: 255.255.255.0 (like I get when I use DHCP) there is > a Broadcast of: 192.168.1.31 and do an ifconfig I see the subnet > mask of 255.255.255.248 still regardless and I cannot SSH in or web, > etc. Assigning that subnet mask was the correct step, but your (presumably UNIX or UNIX-like) server hasn't forgotten the bcast address. What flavour of which OS are you running on that server? If I don't know how to change it persistently, someone else here will know. That will continue to be a major problem for you, BTW, because with that subnet mask, > Still nothing working. So we see. Something fairly fundamental is wrong with your setup, so fundamental that it's not obvious to anyone here. So... let me recap. I'm going from memory of your previous emails, so I may have some details wrong. You have an internet connection with 5 IPs assigned to you: 75.149.56.{27..31}. You have a pfSense router. Its WAN interface is set to 75.149.56.27. (If so this may be part of the problem: 6colors.net resolves to .27, are you sure you want the pfSense box *itself* responding on that IP address? This can be done, but I don't think this is what you're trying to accomplish.) So, let's assume you set pfSense's WAN interface to 75.149.56.28 - it can be any of your assigned IPs, doesn't matter which. You would then create Virtual IPs for the other five public IPs:. On those VIPs: type=CARP, i/f=WAN, IP=75.149.56.{27,29,30,31}/[match the WAN mask], Password=irrelevant, VHID=irrelevant, Freq=irrelevant. (Note: those are NOT irrelevant if you set up redundant firewalls!) Then in Firewall->Nat->1:1, you would create one entry per VIP. (Technically you could do one entry for the range, but I don't recommend it for clarity's sake.) On those NAT rules: Interface=WAN, External=75.149.56.{27,29,30,31}, Internal=192.168.1.{27,29,30,31}, Destination=any, NAT reflection=enable. Then in Firewall->Rules->[either Floating or WAN], add the necessary rules to permit inbound connections: On those FW rules: Action=pass, Intf=WAN, Proto=any, Src=any, Dst=192.168.1.{27,29,30,31} ...and you should be done. Compared to my bare-bones explanation, what are you doing differently? (Aside from my possibly not remembering your range of assigned IPs correctly, that is. You mention a subnet mask of 255.255.255.248, which would actually allow IPs of .25 through .30. Oh well, you can do a mental search-and-replace on my comments above.) My best guess is that you created a VIP of type ifAlias, and you don't have the correct 1:1 NAT entry. Or the correct port-forwarding entries, which should also work. Or you're trying to overload pfSense's main WAN IP address and don't have the port-forwarding done right. If this is what you're trying to do, deliberately, let us know - there are some additional gotchas in this scenario. -Adam Thompson [email protected] _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
