Okay, I repost them. One, Some how got blocked.
10,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,172.16.168.253/32,ON,cust_srvgrp,Web-Page-SN,maidocs web,00:00,00:00,ON,ALIAS__URL,
dnat,second
dnat,second
I also wrote out the step my step settings. as I would create them.
Just in case you need to know the Comma counts, Seem the post strips the Commas.
As far as the errors, I will see if any are on the test system, I have not rebuilt it yet.
Hand keying based on the HOW I Make the rules? (What is wrong?) Hand Keyed many times. NOT DOING A RESTORE. Oh I said that too. but OKay,
Firewall Options no Changes. Web Proxy done OFF and ON.
NO URL FILTERS.
Made Aliases with URLs (www.mywebpage.com) and Just a word like āwebpage1ā
You are forced to use Aliases so I could not key the IPs.
Made Host names URLs and āpageoneā
Made rule not using the host names but keying in the IPs.
Made Network firewall groups Networks and Hosts, Network/Host Groups , Service Groups with the same ports as 169
and NOT used Service Groups and just used the Port, Making many rules for the same page with diffrent ports in each rule. Such as TCP 443 and TCP 80 not using the presets. or Service Groups.
Network is Green, Red, Orange.
Orange is for the VPN and MAIL, to get the IP of the Mail server to face the intertnet. otherwise it only show the forward facing IP of the Firewalls Gateway. Mail errors out for the wrong IP if not on it.
I am thinking that the Certificates my have the same problem from the web pages. not giving the IP of the webpage the Cert should see. but the Gateways IP. in Version 170 and 171.
I have a port forward set up for my LetsEncrypt certificates updates on one of my servers and that is working fine with CU171 and prior to that with CU170 and earlier.
I have just put in place a webmail access to my server, again using a port forward and that has worked fine with CU171.
If you try and use ShieldsUp from the following link to test that your port forwarded ports are open what result do you get.
ShieldsUp is available from the Services menu item at the top left of the website.
https://www.grc.com/default.htm
This will confirm that your prt forwarded ports are open to the internet. If they show up as Closed or Stealth then there is a problem accessing the ports from the internet.
If they show up as Open then you need to try and make a connection from the internet and then look at the firewall logs for the time that you tried it.
If the Port Forwarding is working then you should find a pair of lines as shown here
The time order is newer at the top. So the DNAT command is first receiving the traffic from the Internet IP to the red0 IP and converting from the source port to the destination port (443 in this case). Then the FORWARDFW command is next which forwards the traffic to the specified Internal server at the appropriate IP.
If you donāt see these pair of lines with any port access but see a DROP_INPUT for the involved Internet IP then there is a problem with the Port Forward command that has been specified but then the port should also not show as open with the shieldup web app.
1 Like
But the bad news, it only showing the forward facing IP of the Firewall. I tested on both the Green and Red sides with the same outcome. I changed the Servers IP to another service port setup on the firewall. All the web pages work 169, I have to test 171 the same way.
169 I am seeing the DNAT for the Ports.
What I mean about the Green and Red side. I am using two IPFireās One for servicing Web,SSH, SFTP stuff, and One behind the other for the End Users to get to the internet that is working with 171 but it is only out going traffic.No Web pages, No SSH, No SFTP. everything blocked coming in and working well.
I have tested with it by Hosting a webpage inside, and getting to it by getting on the Red side, but only by IP, Note the this also works on the webpage from outside with 171 if you use the IP of the webpage that does not have SSL. Why I thing the forward facing IP of the Webpage is not being reported correctlly. The Certificates do not work if the page reports the Facing IP of the Router not the Page.
Well, I made some time to try the 172 update. FAILed again. Does anyone use 16 IPs coming in from the ISP and Firewall them in. Seems no one has an Answer to why 169 works and anything higher fails. Just can not get to any of the webpages. Going out works fine. But the outside cannot get to any webpage. http or https.
can you try a clean installation? If ok, then you restore a backup?
Sorry but I cannot repost this they tend to ban for SPAMMING but YES, yes I have, Clean install, Hand keyed, no restore. and same out come. I even Clean installed 169, Hand keyed and it works fine. Did a backup and restored it to 172. after Clean installed 172. Failed. Removed all blockers. Just to see if they maybe the problem. NOPE.
Clean install, Rekeyed rules by hand with 169 everything works, Fact it what I am running.
Clean install on new hardware failed for no NIC drivers.
Clean install on older hardware that NIC have drivers 171 Fail. 172 fail.
Clean install on Hardware I was using as backup hardware, USB for NIC 171 Fail.
and Yes I did post the hardware specs that failed.
I asked if something changed about how the rules are made. Posted ONE of the rules as I did it. I got no bad responce to that. But no looks good ether. Did get how many , Commas and reposted no noticeing that it stripped the , Commas.
Someone ask how I was getting to the management?. from the GREEN side. NOT looking to get to the management from the RED or ORANGE side.
Note: this had been a small problem when I posted the IP of one of the Webpages. I now getting hit by 1000s of dropped packetes per sec. Kind of wish I did not do that. but IPFire is handling it.
Looking through the git repository changes in rules.pl which defines the firewall rules then in CU170 there were eight change commits, all of them related to the introduction of the IP Blocklists capability.
I have read through the changes in each of those eight commits and I donāt see any changes to any of the previously existing firewall rule chains.
CU171 to CU172 have had no changes to rules.pl
If the problem being experienced is related to these IP Blocklist changes there must be something very specific with the rules being used.
I have two port forward rules for access to my webmail system and for my Lets Encrypt certificate updates and those are working fine with CU170 to CU172 and earlier.
To be able to figure out what is happening the log messages for where the traffic is being dropped in the IPFire firewall sequence needs to be provided so someone can figure out which chain is causing the problem. The log lines involved can have any sensitive info replaced.
3 Likes
Did some digging on what you are talking about. Nice Example of how to portforward. NONE. but I did dig by googling the hack out of it. Made some changes. Fail to reander page, Can not find site. in 172. 171, and 170 and in 169 works fine. Only error is NTP Time not set fixed it still fail. 169 ntpdate error next line NTP Synchonisation so it works. 172 line after line of ntpdate error. but after the fix NTP Syc fine. Checked DNS servers all Passed. and Yes going out works find. Using geopeeker in 172 NO Render, 169 renders fine. Same rules, I even Backup 172 and restored into 169 and it works fine. I feel no one is using IPFire for more then one page. by the number of responces on this. Yes, I am learning a new firewall as a fail over. and if I am writing the rules bad maybe the other filewall can teach me something.
All Test today failed with 172.
Now from what I read about the Port forward.
Firewall rule
Source Local IP of page server.
NAT Source NAT Pull down got the Alias of the Public IP.
Destination Standard Networks ANY
Protocol Preset Service Groups Webpage (http, https)
So, my example right?
I am struggling to understand this.
To try and help clarify things here is a screenshot of the rules setting page for my port forward for accessing my webmail server on one of my computers.
The source here is the location on the internet or other networks trying to access the web page on your server.
Normally this could be RED in the Standard Networks to allow access only from sources on the internet. In my case I am also testing this out from other computers on my local network and so I have it set to Any.
In your info you mention the source as having a local IP. I am not totally sure what you mean by local IP. If you mean a private subnet IP then that is incorrect. If you will access the web server from only one computer on the internet then you can specify an IP but that needs to be a Public Address IP.
NAT is selected with Destination NAT (Port Forwarding).
I do not understand what you mean by Pull Down got the Alias of the Public IP.
In my Destination section I have specified a Host name, rather than just the IP address for the computer on the internal LAN network.
Your information has the Destination as Standard Networks ANY. For port forwarding the destination is usually defined to be the Private subnet IP address for your web server etc, not the whole of the internal network.
As I have written this I am wondering if you are confusing what the Source and Destination for the Port Forward need to be.
You might want to review this info in the wiki about source and destination.
https://wiki.ipfire.org/configuration/firewall/rules#source & destination
Also the wiki Port Forward page also mentions source and destination definitions.
https://wiki.ipfire.org/configuration/firewall/rules/port-forwarding
Here is what my firewall port forward rule from above looks like on the firewall rules table.
5 Likes
Yes, yes incoming looks just like yours. I was thinking that the outgoing was the problem, Why the IP addresses of the websites did not show the IP of the website but the IP of the Gateway. The gateway is setup as 10.10.10.10 Subnet 255.255.255.224 Gatway 10.10.10.9 note no real numbers. and the main IP range. is 10.10.10.11 to 10.10.10 60,
To get the MAIL to work in 168, I had to move the Mail server to DMZ orange using incoming ports and outgoing ports. Then the Mail server was reporting the correct IP to other mail servers and the other mail servers to talk to our mail server. I added a USB to NIC for the orange. 170 failed because of the USB to NIC so I got new hardware. to new in fact. That the NIC had no drivers for it in Linux. I found older hardware that did have drivers.
Pull down / Drop down is where you have Automatic with the chevron, Yes, I am old been here when they call the cloud the World Wide Web. Marketing terms have messed up communication. if you have more then one Public IP and make Aliases for each they show up in the Pull down Menu.
My understanding of the port forward. By saying I maybe missing the port forward and I showing my setting months ago. Telling me I was not doing something within what I was doing. I found examples of what I posted and so I tryed it. Did not change anything on 169 or 172. The fact that it did not change how the webpages worked in 169, So I tried it.
169 the webpages are found and show up no problem. in 17x the webpages get not found like the site never existed. So, IPFIRE page of not found is not showing up and I have seen this when I did something wrong in the past.
NAT my understanding is My Destination of the Public IP is forwarded to the IP if the server on the green side using the protocol set in protocol,
In your example. you used a Alias in the HOST for the IP, I use both the Hard IP and The HOST, In the NAT I setup the Aliases in the Network TAB and Add a new Alias to get the pull down to show my Public IPs.That I have 16 of. but only using 10 of the now. Now you use Automatic. Per doc * Firewall Interface = Automatic, I not talking to ONE IP nor the Firewall Interface but one of the many public IPs.
Thanks for the example of the INCOMING Portforward. Still the automatic. How would the firewall know about the public IP? and then forward it to it without the IP.
Firewall Rules look somewhat the same.
Firewall ([Page]):443
_>[Green IP]:443
[] = not real information. page would be www.page.com and Green IP would be local IP.
Because the outgoing portforward is nothing I removed them.
I think a jumbled up this trying to read yours and answer at the same time sorry.
Still, I have not updated to 172, I am at 169. Not found an answer yet. 7 motherboards, all seem to not work with 170,171 or 172. Green to red works well, Red to Orange works too. Red to Green not working. Been working on a mail server so been away from this project. Was hoping to see something. Been using IPFire a long time 2011, I have never had this happen. Yes, I have tried some odd things from above. Still none of the servers are avilable for the internet with 170,171 and 172. The only odd one is I have one server not avilable from green. This one show an IPFire Error Connection to IPADDRESS failed. The system returned: (111) Connection refused but this started with 166 and did not care if this one was available from inside my network. But from the internet side it works. Yes, it is an odd one.
@dean8 ,
once again, could you specify your config ( FW rules especially ! ) in more detail, please.
If you can watch the problem on several systems, I think there is some problem in the config.
A system consists of HW, OS and configuration.
With different HW it is hardly a hardware problem.
The OS is run by many users, with no complaints about such problems. So we can assume, this part isnāt the cause either.
Remains your config, the most unknow part for the community willing to help you.
Regards,
Bernhard
3 Likes
Firewall setup. I going to get ban for this repeating what was said.
Set up Alias
Name Alias IP
WebPageName PublicIPAddress Enabled Add
Firewall Rules
New Rule
Source
Standard networks: Any
NAT
Use Network Address Translation(NAT)
Destionatation NAT(Port forwarding) Firewall interface:WebPageName
Destionation
Destionation Address(IP Address or Network) LocalIPofServer
Protocol
- Preset - Services HTTP
Remark: Webpage
Set Activate
Repeat for next page
Also using Service groups
Web-Page-SN with HTTP and HTTPS
Mail-Group with IMAPS, POP3S,SFTPS,HTTPS, and MailSpell(7025)
VPN-Group with ESP1(UDP50), ESP2(TCP50), L2TP(1701) VPN1(500), and VPN2(4500)
also using SSH for SFTP server
1 Motherboard only had two NIC with a USB NIC for the third. Asus h110t/csm I3 3GHz CPU and 16 gigs of RAM. IntelĀ® I219V, RealtekĀ® RTL8111H
This is what I started with. The USB was added to get Mail to work by reporting its IP Correctlly. By moving the Mail to Orange the IP stopped reporting the Gateways IP and reporting the Mail servers IP.
I have 4 of them.
-
Motherboard with 4 NICs AsRock C3558D4i-4L Atom C3558 16 Gigs of RAM. This on had no Drivers for Linux for the NICs Marvell 88E1543(4L) x4
I have 4 of them. and Hope drivers are made for them. -
Got a Custom build, with pfsense on it.Linux drivers Checked and rechecked.
Firewall, OPNsense, VPN, Network Security Micro Appliance, Router PC, Intel Atom D525, HUNSN RS03, 6 x Intel Gigabit LAN, 2 x USB, COM, VGA, Fan, 4G RAM, 64G SSD
I have 1 of this one.
Yes, that was was just try it, 169 works fine on it. but the same outcome with 170,171 and 172.
It would be much easier if you could provide a screenshot rather than just a lot of words.
If there are sensitive external ipās you donāt want to share you can always redact them.
1 Like
and again like said above,
RESTORE from backup.
Hand Keyed. in 170,171, and 172 with Clean install.
Hand Keyed in 169(Test WORKING) updated to 170 Fail, 171 Fail, 172,Fail.
Hand Keyed in 172(Fail), Backup, started the 169 system Restored WORKS find.