I’ve been searching the forum and documentation for two weeks now. Unfortunately I can’t find a solution to my problem.
I have a web server that was accessible via pfsense. I have reinstalled all my systems and switched to ipfire. That was two months ago.
My web server is usually accessible via a tunnel via Cloudflare. If I bypass the firewall, the server can be reached. If I connect the server again to the firewall it won’t work anymore.
I set the firewall to let everything through, but I can’t reach my test domain.
I have a fiber optic connection that goes into a Genexis modem. The dial-in is automatic. After the Genexis is the Ipfire. From the Ipfire it goes directly to the unmanaged switch. All devices are connected to it.
What I noticed is that if I display my public IP via the provider, if I get a 94.x.x.x address, if I display the IP via ipFire, the system claims that it is a 101.x.x.x address.
An Ubuntu server runs on the web server with a Cloudflare app that transmits the current public IP address. The connection also works between the app and Cloudflare.
So the problem is with ipfire, but I can’t find a solution
Can you help me ?
Perhaps check you are not “Carrier Grade NAT”
We will help fix your firewall rules next.
Your incoming firewall rule is backwards.
Source red
NAT
Destination 10.0.0.60 (server ip)
So I adjusted the firewall settings and hope they are correct now.
Yes, correct, my provider works with CGNAT and you don’t get static IPs from this provider. This is a problem with the German fiber optic network. A VPN would also not be an option since the web server is publicly accessible.
Despite the adjustments, see picture, there is still no access.
Than you are out of luck.
the best i can suggest is to setup a IPFire in the cloud.
create a road warrior VPN.
Home to Cloud.
Cloud IPFire setup Dynamic DNS for VPN server
probable need a port forward in cloud to VPN tunnel to server.
@Shaun HVAC - you can do it but with Cloudflare you can also reach it perfectly through a tunnel. No cloud, VPN, static IP etc. is necessary. I have already implemented this several times for customers so that I can access the servers there.
If I enter firewall XX.XX.XX.1 as the target, the page loads perfectly.
On the relevant server XX.XX.XX.60, I turned off the firewall completely.
Could it be that port forwarding or a route is missing in ipfire?
@trish - Thanks for the offer. I think it might be more helpful for others to write publicly than if we write privately
As you can see in the photo above, I have enabled all ports.
Nothing more is possible. If I remove this rule completely, the firewall itself will also not be accessible.
Has no one else had this problem yet? There is nothing to be found in the forum that comes close to a solution.
What device was this test done from?
I would try this directly from the server.
If there is to be a tunnel from cloud flare to your server. Your server is going to have to initiate this connection. Or cloud flare will never find your server.
Maybe you could draw a small diagram to show how your network is connected.
Where and how on your system does the cloudflare tunnel get connected?
I see that you have the Firewall Rules policy changed to Blocked for all outgoing traffic.
I would suggest to put the Firewall Rules policy to the default Allowed status until you have got the web server access working to cloudflare.
Then once that is known to be working, you can then change the policy to Blocked again and create any firewall rules you identify are needed due to traffic being blocked.
It would probably be good to also look through the logs when you try to make a connection to the web server in cloudflare and see where the traffic flow is getting blocked.
If I change the port of the web server from 80 to XXXX it works.
Then I don’t need permission in the firewall.
I have to adapt and change all ports, they cannot be standard ports.
According to ShieldsUP! All firewall ports are safe and secure.
If an error or problem occurs again, I’ll let you know!
