-2

I'm experiencing problems accessing a local server in my LAN via it's internet address. Let me explain.
I have a local server, on IP 192.168.1.15, and it's serving http (port 80) (All my computers/servers in my LAN having addresses in the 192.168.1.0/24 range). When I access this server from a computer in the LAN via http://192.168.1.15:80, everything works.
This server is accessible from the internet via NAT (e.g. http://my.server.com:8888). This is working as well, no problem there. However, when I try to access this server from my LAN via this address (http://my.server.com:8888), I'm unable to access it.
When I check the firewall log, it's giving this entry:

[FILTER][Block][LAN/RT/VPN->WAN, 1:23:18 ][@S:R=13:1, 82.84.24.33:58741->192.168.1.15:80][TCP][HLen=20, TLen=52, Flag=S, Seq=1765099532, Ack=0, Win=64240]

Where 82.84.24.33 is my fixed WAN IP. And this is making no sense for me:

LAN/RT/VPN->WAN / 82.84.24.33:58741->192.168.1.15:80

It looks like the firewall thinks that the 82.84.24.33 is LAN and 192.168.1.15 is WAN....
And another strange thing, there are rules in the firewall to allow traffic LAN->WAN for port 80 (http)... Even in the other direction as well (WAN->LAN).
Only when I set the default rule in the firewall to 'allow' in stead of 'block' it's working, but that's obviously no option.
Thanks!

GunterO
  • 101
  • 4

3 Answers3

0

I have a setup of PFSense working perfectly. I think its a DNS resolution problem. If you are trying to access the server using domain name then make sure your systems resolve the domain name as your external IP address. that is 82.84.24.33.

Use this command to resolve hostname : 

host my.server.com
Mohit Malviya
  • 148
  • 6
  • It resolves correctly. But it seems to be a NAT loopback / hairpin problem somehow. But the Draytek router is supporting this. I think I just need to find the correct FireWall rule to allow this traffic. – GunterO Mar 29 '19 at 12:19
  • Try to allow 82.84.24.33 for your local network in WAN rules. – Mohit Malviya Mar 30 '19 at 04:53
0

Could it be that you try to access your web server from your local LAN whit its public domain? The Firewall log looks for me as the source Port 58741 on 82.84.24.33 is trying to connect to the local address 192.168.1.15:80

If you want to reach your lokal Server whit the public domain you have to add the FQDN to your lokal DNS-Server but whit your lokal adress. So if you lookup the FQDN lokaly you'll get 192.168.1.15 and you gelt the external IP from a public DNS like google.

Another problem may bee some virtual Host on your web server. Maybe you could provide more information which one you are using and which operating system you are using.

Mohit Malviya
  • 148
  • 6
Chris Sagined
  • 1
  • 1
    "If you want to reach your local Server whit the public domain you have to add the FQDN to your local DNS-Server but whit your local address. So if you lookup the FQDN localy you'll get 192.168.1.15 and you get the external IP from a public DNS like google.". Well, this would be a solution, if there wasn't a port difference. On WAN side, it's 8888 and on LAN side it's 80. So a local DNS won't fix that I'm afraid, – GunterO Mar 29 '19 at 12:21
0

It might be a firmware issue with the default 'block' rule, because when I create 3 new general blocking rules at the end of the rule list (WAN->LAN, LAN->WAN & LAN->LAN), and I set the default rule to 'allow', it is working...
And those 3 rules are working, because logging is enabled on those 3 rules, and they are clearly blocking all kinds of unwanted traffic.

GunterO
  • 101
  • 4