Web Server not allowing external visitors

Gav... ipv6guru at bigpond.net.au
Thu Jun 26 04:05:59 PDT 2003 

| First of all you have two different nats running. The ppp_nat="YES"
| option says use nat function of pppd  and natd_enable="YES" says to
| use NATD function of firewall. So you have nated your private lan ip
| address 2 times which is a user config error. You need option
| gateway_enable="YES" to pass packets to lan.  I would comment out to
| disable the firewall options until you have thinks working and them
| add firewall. To many things happening and you do not know who is at
| fault so limit testing to one thing at time. With apache server on
| gateway box you do not need port 80 forwarding.
|
|
| in /etc/rc.conf.
|
| ppp_nat="YES"
| gateway_enable="YES"
| defaultrouter="NO"
|
| #firewall_enable="YES"
| #firewall_type="OPEN"      //  (Yes I know but whilst testing!)
| #natd_enable="YES"
| #natd_interface="tun0"
| #natd_flags="-f /etc/natd.conf"
|
|

Ok, I did all this and lost all access to the internet from the other LAN
computers. - even with firewall disabled, ipfw is not letting anything
through.
It seems maybe that ppp_nat is not working or not fully configured, what are
all the files and options I need
to change for this to work properly?

When I boot the computer, the ADSL Modem automatically dials my ISP and
connects fine, but then to gain access to the internet properly I have to do
this:

killall natd
killall ppp
ppp -background adsl
natd -dynamic -n tun0

I can then access the internet fine  - without the natd line I can not
access the internet, I tried without this line.

So maybe a bit more firewall and natd config is required I dont know.?

As the Web Server at the moment then is on my FreeBSD machine I do not need
any kind of port forwarding, but maybe I still need to more IPFW rules?

At the moment one tester has reported that he is getting the following:-

 'Gateway Timeout ' error
A gateway timeout error has occured.The Server is unreachable, please retry
the request.
(GATEWAY_TIMEOUT)
Please contact the Administrator.

Any ideas, thanks for all the help so far.

Gav...

(Original message left intact for now for those that missed it first time)

| -----Original Message-----
| From: owner-freebsd-questions at freebsd.org
| [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Gav....
| Sent: Tuesday, June 24, 2003 9:59 AM
| To: freebsd-questions at freebsd.org
| Subject: Web Server not allowing external visitors
|
| Hi,
|
| Subject says it all really, what good is a website if only I can
| view it?
|
| Ok, brief history of problem and setup details, I'm sure I'll leave
| something out you need.
|
| I had 3 computers all run MS and Apache2 Web Server was on the main
| one
| connecting to the net via ADSL and using dyndns.org client to update
| the
| dynamic IP address. No probs.
|
| I then decide to change my setup and add a FreeBSD Router/Firewall
| .and. a
| separate (NT)  Web Server.
| I installed my dns update client onto the new web server , enabled
| NATd (am
| connected via PPPoA/E) , enabled port_forward tcp rules on port 80
| to point
| to this Web Server machine. I also tried IPFW rules etc etc and
| could not
| get the outside world to connect. I thought I would instead put the
| Web
| Server (until I know better) onto the FreeBSD router machine.
|
| Still no go, All my internal machines can - by typing in the
| registered
| domain names, access the web server ok, the Apache Test page comes
| up ok. So
| by typing in www:mysite:com I get the sites ok. This I don't really
| understand. Surely my other computers must be going to the external
| www ,
| getting the domain name resolved, getting the dynamic IP address
| allocated
| to me , and then coming back to my FreeBSD router where it gets
| served the
| web site. So why can't anyone else now access it.??
|
| I'd love to give you a url to test it but this is a public forum and
| my
| router is still not very secure at the moment, however I do have
| trusted
| people testing it for me regularly.
|
| Now , settings I think of relevance (having tried all sorts of
| setups using
| different techniques , I may have mixed up some settings and
| probably have a
| cocktail of settings) are (syntax copied exactly) :-
|
| in /etc/rc.conf.
|
| ppp_nat="YES"
| defaultrouter="NO"
| firewall_enable="YES"
| firewall_type="OPEN"      //  (Yes I know but whilst testing!)
| natd_enable="YES"
| natd_interface="tun0"
| natd_flags="-f /etc/natd.conf"
| #hostname="mydomain"          // I left this commented out for now ?
|
| There are other settings in this file of course but felt only the
| above
| relevant to this post.
|
| in /etc/natd.conf.
|
| interface tun0
| dynamic yes
|
| in /etc/resolv.conf
|
| domain mydomain.com
| nameserver 11.2.333.44
| nameserver 11.2.333.55
|
| //above values changed!
|
| in /etc/rc.firewall
|
| /sbin/ipfw -f flush
| /sbin/ipfw add divert natd all from any to any via tun0
| /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any
| /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80
| /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80
| /sbin/ipfw add divert natd tcp from 192.168.2.1 80 to any
| /sbin/ipfw add pass all from any to any
| // temporary measure again.
|
| // 192.168.0.2 is on ed0 card going to internal network
| //192.168.2.1 is on ed2 card going to another network (eventually
| web server
| proper)
|
| At this point I'd like to mention something in my ifconfig readout.
|
| Now, ed0 ed2 lp0 ppp0 seem to me to be fine (and must be if internal
| network
| can browse internet etc)
|
| tun0 , although above suggests it is working fine , gives me an
| unusual
| alias address. :-
|
| tun0: flags=8051(UP,POINTTOPOINT,RUNNING,MULTICAST> mtu 1500
|     inet 14x1xx.xxx.xxx --> 172.31.22.152 netmask 0xffffff00.
|
| Ok, I've masked my ISP assig ed IP address for now as it is
| semi-permanent,
| but why has it aliased with a Class C
| internal IP address, when all my network is Class B 192.x.x.x
| addresses ,
| can this be the cause of why external visitors can not access my
| sites.???
|
| What other information do you need ???
|
| Thanks in advance , speedy help is appreciated as a family member
| has
| trusted me to host his personal website and he cant get on  it :(
|
| Gav...
|
|
| ---
| Checked for Viruses (Viri) , Gav...
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003
|
| _______________________________________________
| freebsd-questions at freebsd.org mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-questions
| To unsubscribe, send any mail to
| "freebsd-questions-unsubscribe at freebsd.org"
|
|


---
Checked for Viruses (Viri) , Gav...
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003

More information about the freebsd-questions mailing list