Web Server not allowing external visitors

Han Hwei Woo hhwoo at argosy.ca
Fri Jun 27 07:08:24 PDT 2003


This is because natd is being run before ppp is. Just disable natd in
rc.conf, and run it from rc.local instead:

/sbin/natd -n <interface>

----- Original Message ----- 
From: "Gav..." <ipv6guru at bigpond.net.au>
To: <FBSD_User at a1poweruser.com>; <freebsd-questions at freebsd.org>
Sent: Thursday, June 26, 2003 8:04 AM
Subject: Re: Web Server not allowing external visitors


>
> | First of all you have two different nats running. The ppp_nat="YES"
> | option says use nat function of pppd  and natd_enable="YES" says to
> | use NATD function of firewall. So you have nated your private lan ip
> | address 2 times which is a user config error. You need option
> | gateway_enable="YES" to pass packets to lan.  I would comment out to
> | disable the firewall options until you have thinks working and them
> | add firewall. To many things happening and you do not know who is at
> | fault so limit testing to one thing at time. With apache server on
> | gateway box you do not need port 80 forwarding.
> |
> |
> | in /etc/rc.conf.
> |
> | ppp_nat="YES"
> | gateway_enable="YES"
> | defaultrouter="NO"
> |
> | #firewall_enable="YES"
> | #firewall_type="OPEN"      //  (Yes I know but whilst testing!)
> | #natd_enable="YES"
> | #natd_interface="tun0"
> | #natd_flags="-f /etc/natd.conf"
> |
> |
>
> Ok, I did all this and lost all access to the internet from the other LAN
> computers. - even with firewall disabled, ipfw is not letting anything
> through.
> It seems maybe that ppp_nat is not working or not fully configured, what
are
> all the files and options I need
> to change for this to work properly?
>
> When I boot the computer, the ADSL Modem automatically dials my ISP and
> connects fine, but then to gain access to the internet properly I have to
do
> this:
>
> killall natd
> killall ppp
> ppp -background adsl
> natd -dynamic -n tun0
>
> I can then access the internet fine  - without the natd line I can not
> access the internet, I tried without this line.
>
> So maybe a bit more firewall and natd config is required I dont know.?
>
> As the Web Server at the moment then is on my FreeBSD machine I do not
need
> any kind of port forwarding, but maybe I still need to more IPFW rules?
>
> At the moment one tester has reported that he is getting the following:-
>
>  'Gateway Timeout ' error
> A gateway timeout error has occured.The Server is unreachable, please
retry
> the request.
> (GATEWAY_TIMEOUT)
> Please contact the Administrator.
>
> Any ideas, thanks for all the help so far.
>
> Gav...
>
> (Original message left intact for now for those that missed it first time)
>
> | -----Original Message-----
> | From: owner-freebsd-questions at freebsd.org
> | [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Gav....
> | Sent: Tuesday, June 24, 2003 9:59 AM
> | To: freebsd-questions at freebsd.org
> | Subject: Web Server not allowing external visitors
> |
> | Hi,
> |
> | Subject says it all really, what good is a website if only I can
> | view it?
> |
> | Ok, brief history of problem and setup details, I'm sure I'll leave
> | something out you need.
> |
> | I had 3 computers all run MS and Apache2 Web Server was on the main
> | one
> | connecting to the net via ADSL and using dyndns.org client to update
> | the
> | dynamic IP address. No probs.
> |
> | I then decide to change my setup and add a FreeBSD Router/Firewall
> | .and. a
> | separate (NT)  Web Server.
> | I installed my dns update client onto the new web server , enabled
> | NATd (am
> | connected via PPPoA/E) , enabled port_forward tcp rules on port 80
> | to point
> | to this Web Server machine. I also tried IPFW rules etc etc and
> | could not
> | get the outside world to connect. I thought I would instead put the
> | Web
> | Server (until I know better) onto the FreeBSD router machine.
> |
> | Still no go, All my internal machines can - by typing in the
> | registered
> | domain names, access the web server ok, the Apache Test page comes
> | up ok. So
> | by typing in www:mysite:com I get the sites ok. This I don't really
> | understand. Surely my other computers must be going to the external
> | www ,
> | getting the domain name resolved, getting the dynamic IP address
> | allocated
> | to me , and then coming back to my FreeBSD router where it gets
> | served the
> | web site. So why can't anyone else now access it.??
> |
> | I'd love to give you a url to test it but this is a public forum and
> | my
> | router is still not very secure at the moment, however I do have
> | trusted
> | people testing it for me regularly.
> |
> | Now , settings I think of relevance (having tried all sorts of
> | setups using
> | different techniques , I may have mixed up some settings and
> | probably have a
> | cocktail of settings) are (syntax copied exactly) :-
> |
> | in /etc/rc.conf.
> |
> | ppp_nat="YES"
> | defaultrouter="NO"
> | firewall_enable="YES"
> | firewall_type="OPEN"      //  (Yes I know but whilst testing!)
> | natd_enable="YES"
> | natd_interface="tun0"
> | natd_flags="-f /etc/natd.conf"
> | #hostname="mydomain"          // I left this commented out for now ?
> |
> | There are other settings in this file of course but felt only the
> | above
> | relevant to this post.
> |
> | in /etc/natd.conf.
> |
> | interface tun0
> | dynamic yes
> |
> | in /etc/resolv.conf
> |
> | domain mydomain.com
> | nameserver 11.2.333.44
> | nameserver 11.2.333.55
> |
> | //above values changed!
> |
> | in /etc/rc.firewall
> |
> | /sbin/ipfw -f flush
> | /sbin/ipfw add divert natd all from any to any via tun0
> | /sbin/ipfw add divert natd tcp from 192.168.0.2 80 to any
> | /sbin/ipfw add divert natd tcp from any to 192.168.0.2 80
> | /sbin/ipfw add divert natd tcp from any to 192.168.2.1 80
> | /sbin/ipfw add divert natd tcp from 192.168.2.1 80 to any
> | /sbin/ipfw add pass all from any to any
> | // temporary measure again.
> |
> | // 192.168.0.2 is on ed0 card going to internal network
> | //192.168.2.1 is on ed2 card going to another network (eventually
> | web server
> | proper)
> |
> | At this point I'd like to mention something in my ifconfig readout.
> |
> | Now, ed0 ed2 lp0 ppp0 seem to me to be fine (and must be if internal
> | network
> | can browse internet etc)
> |
> | tun0 , although above suggests it is working fine , gives me an
> | unusual
> | alias address. :-
> |
> | tun0: flags=8051(UP,POINTTOPOINT,RUNNING,MULTICAST> mtu 1500
> |     inet 14x1xx.xxx.xxx --> 172.31.22.152 netmask 0xffffff00.
> |
> | Ok, I've masked my ISP assig ed IP address for now as it is
> | semi-permanent,
> | but why has it aliased with a Class C
> | internal IP address, when all my network is Class B 192.x.x.x
> | addresses ,
> | can this be the cause of why external visitors can not access my
> | sites.???
> |
> | What other information do you need ???
> |
> | Thanks in advance , speedy help is appreciated as a family member
> | has
> | trusted me to host his personal website and he cant get on  it :(
> |
> | Gav...
> |
> |
> | ---
> | Checked for Viruses (Viri) , Gav...
> | Checked by AVG anti-virus system (http://www.grisoft.com).
> | Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003
> |
> | _______________________________________________
> | freebsd-questions at freebsd.org mailing list
> | http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> | To unsubscribe, send any mail to
> | "freebsd-questions-unsubscribe at freebsd.org"
> |
> |
>
>
> ---
> Checked for Viruses (Viri) , Gav...
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.491 / Virus Database: 290 - Release Date: 18/06/2003
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>



More information about the freebsd-questions mailing list