Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hugomartinezq]

I have a public ip configured in my WAN2 using ARP publish and I have a nat to forward all trafic to an internal ip with two rules, SAT and Allow, it is working perfectly with this exception, when I try to reach the public ip from my LAN, I can't see this ip, and only I see the ip from an external computer from my LAN, how can I activate to view this public ip from my lan?
this is a problem for my because we have a domain linked to the public ip and It don't work when I browse it from my LAN.

THANKS FOR THE HELP THAT YOU CAN BRING ME.

[Fatman]

Be sure to include your LAN in the source interface and network for your port forwards, say by changing your source to be any/all-nets.

[hugomartinezq]

I have already check it and is like as you say, those are the rules configured in my firewall:

1.
NAT:
all_services
source: lan/lannet
destination: wan2/all nets


3.
SAT
all_services
source: any/all nets
destination: wan2/public_web_server_ip
Destination IP: private_web_server_ip

4.
Allow
all_services
source: any/all nets
destination: wan2/public_web_server_ip

if I try to acces the public_web_server_ip from other location I can do it, but if I am on the same network the public_web_server_ip don't answer.

Thanks

[Fatman]

Do you get any log entries in the firewall?

How about if you turn on logging for those rules in the firewall?

[hugomartinezq]

Not yet, I have activated the logging in each rule, and I don't see any thing related.

[Fatman]

If you have turned logging on and are not seeing anything relevant then there must be no traffic reaching the firewall that would trigger those rules, or other rules are previously listed for that traffic that are being used.

[hugomartinezq]

Ok, there was a error when I active the logging, I can see any logs to this rules but when the external ips access to my server but I don't see anything from my LAN and I can't still to have access it server from my LAN using the public IP.

[Fatman]

Then it sounds like a rule order issue, try making your port forwards the first rules in the list.

[hugomartinezq]

Ok I fix it and it work fine but only with the ping, when I make a ping from my lan it is translate to the internal ip, but however I can't use the services internally, it seem like a return package problem, for example:

I I try from my lan to use ssh using the public ip, it don't respond but if I try from out side of my lan it work perfectly.

Is rarely because if I try to make a ping it work fine:

ping my_domain.com
PING my_domain.com (230.111.121.85): 56 data bytes
64 bytes from 172.16.1.33: icmp_seq=0 ttl=64 time=1.280 ms
64 bytes from 172.16.1.33: icmp_seq=1 ttl=64 time=1.950 ms

ssh my_domain.com -l user (don't work from my lan)

[Fatman]

if you use NAT for the second rule instead of allow (at least for the traffic coming from your LAN) then you should see a reply from the public address instead and local services won't get dropped due to the SPI engine.

To confirm, I bet you have a whole lot of no connection for packet ALG drop or similar log entries.

[chechito]

3.
SAT
all_services
source: any/all nets
destination: wan2/public_web_server_ip
Destination IP: private_web_server_ip

i suggest try

3
SAT
all_services
source: any/all nets
destination:  core/public_web_server_ip
Destination IP: private_web_server_ip


the same change for respectively allow rule

[Fatman]

That is a great change to make, but if we don't have a core route for the IP it will be ineffective.  I was trying to get base functionality up, then worry about making it perfect.