# ipf firewall



## petko (Jul 14, 2010)

Hello guys,

I'm new to BSD. I installed FreeBSD 8.0-RELEASE machine which is my gateway/router using ipfilter. The standard set up. My problem is that I can not access my website to .21 from my private network, but everywhere else.



```
internet
         | 
         BSD gateway ipfilter    
         | DHCP from ISP
         switch (192.168.0.1/24)  
         |
         web server (192.168.0.21)   
         |
         laptop (192.168.0.22)
```
Some facts:
I can ping, ssh to the server(.21), but I can't telnet which is allow from my firewall.


 netstat -nr from the gateway
Routing tables


```
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            public_ip          UGS         0  5213579    dc0
public_ip/21       link#1             U           0        0    dc0
public_ip          link#1             UHS         0        0    lo0
127.0.0.1          link#4             UH          0     1746    lo0
192.168.5.0/24     link#2             U           1  5857891    dc1
192.168.5.1        link#2             UHS         0        0    lo0
```

cat /etc/ipnat.conf

```
map dc0 192.168.5.0/24 -> public_ip
rdr dc0 public_ip port 80 -> 192.168.5.21 port 80
```

Any ideas are much appreciated. Thank you very much.


----------



## SirDice (Jul 14, 2010)

Traffic from the laptop to the webserver does NOT pass through your router. It's directly connected.


----------



## petko (Jul 15, 2010)

Apologies for the confusion, the laptop is connected to the switch. 


```
internet
           |		
	gateway
	   |
	switch 
        | .. |
      .22   .21
```
I'm suspecting routing issue. On my linux box I have the following:


```
ip route show
192.168.5.20 via 192.168.5.21 dev eth0 
192.168.5.21 via 192.168.5.20 dev eth0 
192.168.5.0/24 dev eth0  proto kernel  scope link  src 192.168.5.20 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.5.1 dev eth0
```


on the webserver (.21)

```
netstat -nr
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.5.1        UGS         1        4    vr0
127.0.0.1          link#5             UH          0        0    lo0
192.168.5.0/24     link#3             U           0      307    vr0
192.168.5.20/32    192.168.5.21       US          1       17    vr0
192.168.5.21       link#3             UHS         0        0    lo0 =>
192.168.5.21/32    192.168.5.20       UGS         0        0    vr0
```
And on the router

```
netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            pub_gateway         UGS         0    10822    dc0
pub_ip/21           link#1             U           0        0    dc0
pub_ip              link#1             UHS         0        0    lo0
127.0.0.1          link#4             UH          0        0    lo0
192.168.5.0/24     link#2             U           1    12440    dc1
192.168.5.1        link#2             UHS         0        0    lo0 =>
192.168.5.1/32     192.168.5.21       UGS         0        0    dc1
192.168.5.21/32    192.168.5.1        US          0        0    dc1
```
I never had to deal with routing before, is this set up makes sense. 

Thank you very much for your time.


----------



## petko (Jul 15, 2010)

Actually I can reach the webserver by the private ip but not with the domain. I double check with the provider of the domain for the DNS setup, they sad is fine. I can access it from different location by domain with no problems, just I can't from my LAN. That is very weird. Thanks.


----------



## fbsd1 (Aug 5, 2010)

Its working the correct way. You can not access another pc by domain name when both are on the private LAN unless you have a LAN DNS server which is over kill in this case.


----------



## SirDice (Aug 5, 2010)

petko said:
			
		

> Apologies for the confusion, the laptop is connected to the switch.


Which means it's directly connected. They're both on the same subnet so they can connect to each other without the use of a router.



> I'm suspecting routing issue.


It isn't. The laptop is able to directly connect to the webserver.


----------



## SirDice (Aug 5, 2010)

petko said:
			
		

> Actually I can reach the webserver by the private ip but not with the domain. I double check with the provider of the domain for the DNS setup, they sad is fine. I can access it from different location by domain with no problems, just I can't from my LAN. That is very weird. Thanks.



No, it isn't. The hostname resolves to your 'external' public internet IP address. The laptop however must connect using the host's 'internal' or LAN address.

You can solve this by either adding the hostname to the laptop's hosts file or set up DNS with a local version of your domain.


----------



## kpa (Aug 5, 2010)

Install dnsmasq from ports and run that on your router. Dnsmasq can easily override the few hostnames you have for LAN clients so that they resolve to internal addresses. It's also a decent DHCP server (not enabled by default).


----------



## petko (Aug 8, 2010)

Thank you very much to all of you. You've been a big help. The issues is resolved. Thank you again.


----------

