5268AC Firewall not configuring correctly?

[kbruner]

I have the 5268AC, and seem to be unable to host my web server!

Here's my firewall settings:

Code: Select all

MacMini
Connection Type: Wireless (802.11)
IP Address:
192.168.42.64

IP Address Allocation: DHCP
IP Address Type: Private (NAT)
Hardware Address: 28:cf:da:06:7a:6f
Status: On
Allowed Applications	Application Type	Protocol	Port Number(s)	Public IP
MyWebServer	-	
tcp	80
AAA.BBB.CC.DD (real IP address here)

Internally, if I go to
192.168.42.64
I get my test web page!

however, if I go to
AAA.BBB.CC.DD
I get connection refused!

All this was working fine before I upgraded to the bonded DSL.

What am I missing here?

-Kevin

[pockyken007]

Looks like your DNS settings might be messed up .

[dherr]

Hmm...

Most firewalls will silently drop packets that are not allowed. This is a refusal, so it is more likely that it is getting thru whichever firewall. If the DNS is not pointing to the correct IP then I would not guess on a refusal like this. It looks more like the web server is not listening. Either not turned on or not listening to the correct IP/interface/port.

[pockyken007]

Hmm...

Most firewalls will silently drop packets that are not allowed. This is a refusal, so it is more likely that it is getting thru whichever firewall. If the DNS is not pointing to the correct IP then I would not guess on a refusal like this. It looks more like the web server is not listening. Either not turned on or not listening to the correct IP/interface/port.

you think TCP/IP settings Dherr ?

[dherr]

I don't know what the web server is running on, but I was thinking that he needs to check as such...

If it were on many flavors of Unix/Linux:
netstat -na |grep LIST |grep 80

My host running a web server shows:
tcp 0 0 192.168.10.4:80 0.0.0.0:* LISTEN

So not listening on localhost, IPv6 or any the IP I get when testing the VPN clients. So in my case I would find the web service to not work if I switched over to the Pace default LAN of 192.168.1.x for example.

I am also running iptables as a client level firewall but if I forgot to open that then the test would not show "refused" but just dropped for my setup.

But he really should verify your point about DNS first, as that may just be the issue.

[Guest]

I'm not sure this is a DNS issues, since I'm using only raw ip adresses, there should be no DNS required at all (no domain names used, therefore no domain names to be resolved). Am I missing something?

[dherr]

What does the MacMini say to:

netstat -na |grep LIST |grep 80

EDIT:
But you did say:

"Internally, if I go to
192.168.42.64
I get my test web page!"

So yes, of course you are listening. For the Pace 5031nv it has been needed to do a factory reset sometimes to get things to work properly. Perhaps your router has a similar issue.

[Guest]

Alright, new info!

Interestingly enough, everything works OUTSIDE of the intranet.

If I'm out in the real world, I can browse to AAA.BBB.CC.DD and I'm served my content!

So what I am trying to accomplish is browsing to AAA.BBB.CC.DD from inside my home network, which appears to be the only aspect that isn't working.

[pockyken007]

Alright, new info!

Interestingly enough, everything works OUTSIDE of the intranet.

If I'm out in the real world, I can browse to AAA.BBB.CC.DD and I'm served my content!

So what I am trying to accomplish is browsing to AAA.BBB.CC.DD from inside my home network, which appears to be the only aspect that isn't working.

This is a common problem with the way some routers handle traffic meant for their public address from an internal address - they don't follow the same port forwarding rules as requests from outside the network. What you need to look for in your routers is NAT reflection. This will allow the router to handle internal requests for the public IP to use the same port forwarding rules as if the request came from outside the network.

[dherr]

I see that pockyken007 slipped in with another name for it....

Ah, I should have considered that. This would be a failure in "Hairpin NAT". There is a recent thread about it with the Pace 5031nv. In that case it used to work but a firmware update broke it.

Various ways to fix it.

- Wait for a vendor fix. Sonic might already have one.
- Use bridge/passthru/DMZ/whatever with another router sitting behind your 5268AC.
- Use a host table entry to direct domain.com to 192.168.42.64 instead of your public IP. (my first choice)

Might also be possible to add a routing rule to point that public IP to your local NIC.