Hello Community!
I have an age-old problem with trying to reach a local website on my local network, but something is very wrong and I haven't quite put my finger on it. I have a local LAMP server at 192.168.1.13 which is Debian and hosts my website, all packages are up to date. This is reachable from outside of my network and works wonderfully, but completely inaccessible from internal network, even if I attempt to use http://192.168.1.13. I'm a total loss. I obviously want to maintain it's perfect presence on the world wide web, but I also want to be able to access it internally by using the url. When I do an nslookup from a windows box I get the correct WAN ip, and tracert is 1 hop to, again, the correct ip. When browsing to it however I get the error message "Oops! Google Chrome can not connect to www.duvrazh.net. For config purposes, the port forwards are disabled right now. Please help me solve this crisis!
Here are my Debian iptables on the web server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache-myadmin tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-apache-w00tw00t tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-exim tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
fail2ban-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-apache-noscript tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-webmin tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 10000,20000
fail2ban-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-ssh-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-pam-generic tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-badbots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-myadmin (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-nohome (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-w00tw00t (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-exim (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pam-generic (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-webmin (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
|
Now this is all behind pfSense 2.1-Release, with the following firewall rules. I have 2 wan addresses which I've masked to 123.123.123.90 and 123.123.123.94. You will also see some specific rules mentioning 204.204.204.204, that is just me allowing rdp from my day-job location. Here is the mostly unfiltered output of pfctl -sa
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 | TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em1 inet from 192.168.1.0/24 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 10.24.0.0/24 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 127.0.0.0/8 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 0.0.0.0 port= isakmp to any port= isakmp -> 123.123.123.94 port 500
nat on em1 inet from 192.168.1.0/24 to any -> 123.123.123.94 port 1024:65535
nat on em1 inet from 10.24.0.0/24 to any -> 123.123.123.94 port 1024:65535 nat on em1 inet from 127.0.0.0/8 to any -> 123.123.123.94 port 1024:65535
nat on em1 inet from 0.0.0.0 to any -> 123.123.123.94 port 1024:65535
nat on em2 inet from 192.168.1.0/24 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 10.24.0.0/24 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 127.0.0.0/8 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 0.0.0.0 port= isakmp to any port= isakmp -> 123.123.123.90 port 500
nat on em2 inet from 192.168.1.0/24 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 10.24.0.0/24 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 127.0.0.0/8 to any -> 123.123.123.90 port 1024:65535
nat on em2 inet from 0.0.0.0 to any -> 123.123.123.90 port 1024:65535
no nat on em0 inet proto tcp from 192.168.1.1 to 192.168.1.245 port= 3389
nat on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.245 port= 3389 -> 192.168.1.1 port 1024:65535
no nat on em0 inet proto tcp from 192.168.1.1 to 192.168.1.43 port= 3389
nat on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.43 port= 3389 -> 192.168.1.1 port 1024:65535
no nat on em0 inet from 192.168.1.1 to 192.168.1.13
nat on em0 inet from 192.168.1.0/24 to 192.168.1.13 -> 192.168.1.1 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on em1 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on em0 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on openvpn inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on WANgroup inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42196 -> 192.168.1.245 port 3389
rdr on em1 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on em0 inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on openvpn inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr on WANgroup inet proto tcp from 204.204.204.204 to 123.123.123.94 port= 42199 -> 192.168.1.43 port 3389
rdr-anchor "miniupnpd" all
rdr on em0 inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
rdr on openvpn inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
rdr on WANgroup inet from any to 123.123.123.90 -> 192.168.1.13 bitmask
binat on em2 inet from 192.168.1.13 to any -> 123.123.123.90
FILTER RULES:
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echo rep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port= 0 to any
block drop quick inet proto tcp from any to any port= 0
block drop quick inet proto udp from any port= 0 to any
block drop quick inet proto udp from any to any port= 0
block drop quick inet6 proto tcp from any port= 0 to any
block drop quick inet6 proto tcp from any to any port= 0
block drop quick inet6 proto udp from any port= 0 to any
block drop quick inet6 proto udp from any to any port= 0
block drop quick from |
I realize that's enough information to make your head spin, so additionally here are screenshots of the pages just in case there is a webui expert out there who can help but is less familiar with the command line (like me - less familiar, not an expert at all).
Gateways - just in case...
Image may be NSFW.Clik here to view.

Firewall rules on the public interface that I want to 1:1 NAT to the webserver.
Image may be NSFW.
Clik here to view.
My LAN firewall rules, for what they're worth.
Image may be NSFW.
Clik here to view.
Here is the 1:1 NAT that I configured to supposedly allow direct access to the server, because apparently port forwarding is taboo.
Image may be NSFW.
Clik here to view.
Also, when attempting to follow guides found on Google I get this error about adding a virtual IP of the public ip address x.x.x.90
Image may be NSFW.Clik here to view.
