Date: Thu, 26 Jun 2003 19:04:33 +0800 From: "Gav..." <ipv6guru@bigpond.net.au> To: FBSD_User@a1poweruser.com, freebsd-questions@freebsd.org Subject: Re: Web Server not allowing external visitors Message-ID: <000a01c33bd2$ba1bc960$0100a8c0@madaboutipv6> References: <20030624075915-149200041@bigpond.com>
next in thread | previous in thread | raw e-mail | index | archive | help
| First of all you have two different nats running. The ppp_nat="YES" | option says use nat function of pppd and natd_enable="YES" says to | use NATD function of firewall. So you have nated your private lan ip | address 2 times which is a user config error. You need option | gateway_enable="YES" to pass packets to lan. I would comment out to | disable the firewall options until you have thinks working and them | add firewall. To many things happening and you do not know who is at | fault so limit testing to one thing at time. With apache server on | gateway box you do not need port 80 forwarding. | | | in /etc/rc.conf. | | ppp_nat="YES" | gateway_enable="YES" | defaultrouter="NO" | | #firewall_enable="YES" | #firewall_type="OPEN" // (Yes I know but whilst testing!) | #natd_enable="YES" | #natd_interface="tun0" | #natd_flags="-f /etc/natd.conf" | | Ok, I did all this and lost all access to the internet from the other LAN computers. - even with firewall disabled, ipfw is not letting anything through. It seems maybe that ppp_nat is not working or not fully configured, what are all the files and options I need to change for this to work properly? When I boot the computer, the ADSL Modem automatically dials my ISP and connects fine, but then to gain access to the internet properly I have to do this: killall natd killall ppp ppp -background adsl natd -dynamic -n tun0 I can then access the internet fine - without the natd line I can not access the internet, I tried without this line. So maybe a bit more firewall and natd config is required I dont know.? As the Web Server at the moment then is on my FreeBSD machine I do not need any kind of port forwarding, but maybe I still need to more IPFW rules? At the moment one tester has reported that he is getting the following:- 'Gateway Timeout ' error A gateway timeout error has occured.The Server is unreachable, please retry the request. (GATEWAY_TIMEOUT) Please contact the Administrator. Any ideas, thanks for all the help so far. Gav... (Original message left intact for now for those that missed it first time) | -----Original Message----- | From: owner-freebsd-questions@freebsd.org | [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gav.... | Sent: Tuesday, June 24, 2003 9:59 AM | To: freebsd-questions@freebsd.org | Subject: Web Server not allowing external visitors | | Hi, | | Subject says it all really, what good is a website if only I can | view it? | | Ok, brief history of problem and setup details, I'm sure I'll leave | something out you need. | | I had 3 computers all run MS and Apache2 Web Server was on the main | one | connecting to the net via ADSL and using dyndns.org client to update | the | dynamic IP address. No probs. | | I then decide to change my setup and add a FreeBSD Router/Firewall | .and. a | separate (NT) Web Server. | I installed my dns update client onto the new web server , enabled | NATd (am | connected via PPPoA/E) , enabled port_forward tcp rules on port 80 | to point | to this Web Server machine. I also tried IPFW rules etc etc and | could not | get the outside world to connect. I thought I would instead put the | Web | Server (until I know better) onto the FreeBSD router machine. | | Still no go, All my internal machines can - by typing in the | registered | domain names, access the web server ok, the Apache Test page comes | up ok. So | by typing in www:mysite:com I get the sites ok. This I don't really | understand. Surely my other computers must be going to the external | www , | getting the domain name resolved, getting the dynamic IP address | allocated | to me , and then coming back to my FreeBSD router where it gets | served the | web site. So why can't anyone else now access it.?? | | I'd love to give you a url to test it but this is a public forum and | my | router is still not very secure at the moment, however I do have | trusted | people testing it for me regularly. | | Now , settings I think of relevance (having tried all sorts of | setups using | different techniques , I may have mixed up some settings and | probably have a | cocktail of settings) are (syntax copied exactly) :- | | in /etc/rc.conf. | | ppp_nat="YES" | defaultrouter="NO" | firewall_enable="YES" | firewall_type="OPEN" // (Yes I know but whilst testing!) | natd_enable="YES" | natd_interface="tun0" | natd_flags="-f /etc/natd.conf" | #hostname="mydomain" // I left this commented out for now ? | | There are other settings in this file of course but felt only the | above | relevant to this post. | | in /etc/natd.conf. | | interface tun0 | dynamic yes | | in /etc/resolv.conf | | domain mydomain.com | nameserver 11.2.333.44 | nameserver 11.2.333.55 | | //above values changed! | | in /etc/rc.firewall | | /sbin/ipfw -f flush | /sbin/ipfw add divert natd all from any to any via tun0 | /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any | /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80 | /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80 | /sbin/ipfw add divert natd tcp from 192.168.2.1 80 to any | /sbin/ipfw add pass all from any to any | // temporary measure again. | | // 192.168.0.2 is on ed0 card going to internal network | //192.168.2.1 is on ed2 card going to another network (eventually | web server | proper) | | At this point I'd like to mention something in my ifconfig readout. | | Now, ed0 ed2 lp0 ppp0 seem to me to be fine (and must be if internal | network | can browse internet etc) | | tun0 , although above suggests it is working fine , gives me an | unusual | alias address. :- | | tun0: flags=8051(UP,POINTTOPOINT,RUNNING,MULTICAST> mtu 1500 | inet 14x1xx.xxx.xxx --> 172.31.22.152 netmask 0xffffff00. | | Ok, I've masked my ISP assig ed IP address for now as it is | semi-permanent, | but why has it aliased with a Class C | internal IP address, when all my network is Class B 192.x.x.x | addresses , | can this be the cause of why external visitors can not access my | sites.??? | | What other information do you need ??? | | Thanks in advance , speedy help is appreciated as a family member | has | trusted me to host his personal website and he cant get on it :( | | Gav... | | | --- | Checked for Viruses (Viri) , Gav... | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003 | | _______________________________________________ | freebsd-questions@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-questions | To unsubscribe, send any mail to | "freebsd-questions-unsubscribe@freebsd.org" | | --- Checked for Viruses (Viri) , Gav... Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c33bd2$ba1bc960$0100a8c0>