# Changed Web Server Static IP, then ERR_CONNECTION_REFUSED



## JLAIP (Jan 21, 2022)

After changing our old freebsd web server's static IP today, no one's able to browse to our website--either via the server's IP or our domain name. Firefox returns:
_<IP or domain> refused to connect (ERR_CONNECTION_REFUSED)_
I AM able to ping the server (and I'm able to ping yahoo, google or our domain from the server), so I'm guessing there's another conf file on the server containing our old IP that needs to be updated, but I've no idea what/where that is? Port 80 appears to be blocked at the server:
--- reading URL <new IP address>
--- contacting host [<new IP address>] on port 80
--- error: connection was rejected

Details...
1) I modified the following two lines in /etc/rc.conf:
_ifconfig_vr0=”inet <new IP> netmask <new netmask>″
defaultrouter=”<new router IP>″_
Then...
# /etc/rc.d/netif restart && /etc/rc.d/routing restart

2) After updating A Records for our domain's new static IP, an IP Lookup of our domain name returns the new IP, and a DNS Lookup of our domain name returns the correct new IP. So I know the updated A Records have begun to propagate.

3) Email is working. I can send/receive without issues.

I also rebooted the server just to be sure, but, otherwise, that's it.
Can someone tell me what I'm missing?
Many thanks in advance.


----------



## jbo (Jan 21, 2022)

Which webserver are you running?

Usually the webserver's host configuration would reflect the IP address/interface that it is listening on.
For example, www/nginx config snippet:

```
server {
    listen 192.168.7.173:80;

    ....
}
```
Make sure that the web server config is adopted to listen on that new IP address.

You can run `sockstat -4 -l` to see all active listeners on your interface(s).
For example:

```
root@yourhost:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      nginx      10439 6  tcp4   192.168.7.173:80      *:*
www      nginx      10437 6  tcp4   192.168.7.173:80      *:*
www      nginx      10436 6  tcp4   192.168.7.173:80      *:*
www      nginx      10435 6  tcp4   192.168.7.173:80      *:*
root     nginx      10434 6  tcp4   192.168.7.173:80      *:*
root     sendmail   10426 4  tcp4   192.168.7.173:25      *:*
```
This can help to narrow down the problem.
You might also want to check/ensure that the firewall passes traffic on the respective port (apparently 80 in your case) through that interface (in case the firewall config would specify an IP rather than an interface).


----------



## JLAIP (Jan 21, 2022)

Thanks for the quick response. I apologize for my naivete (I used to know most of this....really), but I haven't worked in 'BSD for 20 years and my skills are poor.

I honestly can't remember how to check the apache version, but I think it's probably apache1.something. I've tried _httpd -v_, but "Command not found".
But here's a screenshot of the output from sockstat...


----------



## jbo (Jan 21, 2022)

Well now we have a problem because I haven't used apache in the last 20 years  (not really 20 but was fun to say)

According to the output of `sockstat` that you showed, apache is running and configured to listen on ALL interfaces (note the wildcard).
As I understand from your first post, you are able to reach the server over the new IP. That is correct, right?
That would leave the firewall configuration as the most probable cause of issues. That would also align with the fact that the connection is being rejected.

You'd need to figure out which firewall you're using. On FreeBSD that would typically be PF, IPFW or something else I can't recall.
I'd assume that /etc/rc.conf would have some firewall config/setup going on which would tell you which firewall you're running. Alternatively, ps(1) would help.
Check the firewall configuration. Ensure that traffic on port 80 on that interface is allowed to pass.

At this point it might be helpful to post the contents/output of:

/etc/rc.conf
`ifconfig`
Your firewall configuration (whatever file that may be)


----------



## JLAIP (Jan 21, 2022)

Yes, I AM able to ping the server via the new IP. Interestingly, I also just verified that I AM able to use a Windows-based ftp program to SSH into our email server (which is separate from the web server -- connected to it via ethernet) by way of the domain name. So the bottleneck is definitely within the web server.

I think the firewall's pf, which appears to be the case based on the output of /etc/rc.conf.
Again, I have NOT changed ANYTHING (including firewall configs) other than /etc/rc.conf between the time the web server was working (yesterday, with our old IPs) and today, with the new IPs. Hopefully, these will help..


----------



## JLAIP (Jan 21, 2022)

Here's a snippet of the last few entries in the pf log....


----------



## JLAIP (Jan 21, 2022)

It looks like I'm also running ipfw because I have an /etc/ipf.rules that we use to limit server logins to a single IP (my home PC connection), which I change regularly (and update /etc/ipf.rules with each change).
But, again, I doubt that's the problem (unless one or both of the firewall conf files contains our old IP address) because server's been running running that way for years.

Here's the output of a web scan of the server's primary ports...
--- performing Server Scan on "<new IP>", please wait...
--- contacting server [<new IP>]

*--- HTTP: (80)
(connection refused)*

--- POP3: (110)
+OK Qpopper (version 4.0.9) at pitcher.<domainname> starting.  <3182.1642733645@pitcher.<domainname>

--- SMTP: (25)
(connection refused)

--- IDENT: (113)
(connection refused)
--- Server Scan completed


----------



## JLAIP (Jan 21, 2022)

Here's a question: Could the new modem/router the ISP installed along with our new IP be set to block port 80 by default?
I DID ask the tech, but he said, "It should be wide open, but if there's a specific port you need, let me know and I'll check it".


----------



## jbo (Jan 21, 2022)

JLAIP said:


> Here's a question: Could the new modem/router the ISP installed along with our new IP be set to block port 80 by default?


I just wanted to post that exact same question.


----------



## JLAIP (Jan 21, 2022)

Like minds...
I'm logged into the modem, but I don't have the username/password to get in an check to see if port 80's blocked. So I've emailed the tech who installed the modem (he left his card for just this reason) and asked him to login and let me know what he finds.

In the meantime, based on the last few screenshots I posted, does everything look copasetic to you? Just trying to prepare for my next move in case the tech reports no blocked ports tomorrow....


----------



## SirDice (Jan 21, 2022)

JLAIP said:


> but I think it's probably apache1.something


If it's truly Apache 1.3 then leave the host offline. Seriously. That version expired more than 10 years ago. So your FreeBSD install is probably just as old, I'm guessing release 6, maybe 7. Both ancient versions and have been end-of-life for a long time.

www/apache13








						Unsupported FreeBSD Releases
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org


----------



## JLAIP (Jan 21, 2022)

SirDice said:


> If it's truly Apache 1.3 then leave the host offline. Seriously. That version expired more than 10 years ago. So your FreeBSD install is probably just as old, I'm guessing release 6, maybe 7. Both ancient versions and have been end-of-life for a long time.


It's definitely old, but it's what we've got and suggesting that we dump the lot isn't helpful. I certainly would never say something as dismissive as that to you.


----------



## SirDice (Jan 21, 2022)

Not dumping the lot, migrate it to a recent, and supported, version and put that back online. This host is not only a high risk danger to your own infrastructure, it also affects the overall security of everyone else that's connected to the internet (your platform will get abused to attack other hosts).


----------



## jbo (Jan 21, 2022)

JLAIP said:


> It's definitely old, but it's what we've got and suggesting that we dump the lot isn't helpful. I certainly would never say something as dismissive as that to you.


I assure you that SirDice has only the best of intentions on his mind.
Could you elaborate how/why you perceived his post as dismissive? You're coming to this forum asking for help. You are apparently running some very, very old & outdated software which has been EOL'd a long time ago. The suggestion provided is pretty much the best in terms of help you can get/expect.
Other than in respect of your own security it's also very bad practice to leave a machine like this connected to the internet as it can (and most likely will) definitely end up in a bot net or similar used to attach other systems.
Leaving a system like this connected to the internet will not motivate any decent sysadmin to help you with your "actual" issue.

For historic reasons, can you provide the output of `uname -a`?

Something else I meant to mention yesterday: If you need to post information (eg. the content of a file) rather than taking photographs you can also just netcat to termbin.com. It's a simple pasting service.
Pasting a file:

```
cat /etc/rc.conf | nc termbin.com 9999
```
That will post the contents of /etc/rc.conf and return the URL on the console. You can then navigate to that URL on a web browser and copy-paste into the forum here.
This of course only works assuming your host has a working internet connection (which seems to be the case here).
I hope that's gonna save you some pain in the future


----------



## Geezer (Jan 21, 2022)

JLAIP said:


> It's definitely old, but it's what we've got and suggesting that we dump the lot isn't helpful. I certainly would never say something as dismissive as that to you.



If you have not updated a system for ten odd years, then it is you who have already 'dumped' it.


----------



## JLAIP (Jan 21, 2022)

Geezer said:


> If you have not updated a system for ten odd years, then it is you who have already 'dumped' it.


The system was running just fine prior to the IP changeover. And I still use a flip-phone, too. If it ain't broke.


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> Could you elaborate how/why you perceived his post as dismissive?


"If it's truly Apache 1.3 then leave the host offline. Seriously."


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> Other than in respect of your own security it's also very bad practice to leave a machine like this connected to the internet as it can (and most likely will) definitely end up in a bot net or similar used to attach other systems.
> Leaving a system like this connected to the internet will not motivate any decent sysadmin to help you with your "actual" issue.
> 
> For historic reasons, can you provide the output of `uname -a`?


4.11.
I'm aware of the system's age and, therefore, unpopularity. However, we have a number of custom scripts running on it that will likely not run on current kernels; and, based on previous experience, I lack the time, experience, confidence and 'BSD skillset to migrate the current system's goods onto a new one. So whilst I'm aware of the many shortcomings of the server, I'm also aware that, prior to the IP changeover, it was running quite well and I can see little good to be gained by risking the life of an otherwise healthy patient to administer preventative medicine. If there's now a requirement that only those running approved OS's can request help here, just say the word and I'll not inconvenience anyone here further.


----------



## SirDice (Jan 21, 2022)

JLAIP said:


> However, we have a number of custom scripts running on it that will likely not run on current kernels


That is highly unlikely. You may need to tweak a few things here or there but overall the scripts should work just fine on a modern version. 



JLAIP said:


> I lack the time, experience, confidence and 'BSD skillset to migrate the current system's goods onto a new one.


This is the real issue here. Not the age of the system, or the potential migration issues. 



JLAIP said:


> If there's now a requirement that only those running approved OS's can request help here


This isn't anything "new". We've had the Forum Rules and Guidelines (REQUIRED READING) section from the start of the forums.

Topics about unsupported FreeBSD versions


----------



## VladiBG (Jan 21, 2022)

check the `ipfw list`

In your rc.conf you have pf_enable which is for pf firewall and also ipfilter_enabled. So check your pf rules. You are not using IPFW but ipf (IPFilter)


----------



## jbo (Jan 21, 2022)

JLAIP said:


> However, we have a number of custom scripts running on it that will likely not run on current kernels;


One of the major reasons why I personally like (Free)BSD is exactly that: Stuff doesn't just change. Unlike other popular (server) operating systems, you can look at documentation from 10 or 20 years ago and it's still applicable. The same applies to software utilities. The system architecture is pretty static (I don't mean that in a bad way) and the kernel & surrounding system (world) are tightly coupled. There is no such thing as changing the init system two times a year or similar shenanigans. The same applies to the overall kernel (& kernel interfaces). You should be able to upgrade the system / migrate your custom stuff to a new FreeBSD version with ease compared to other operating systems.


----------



## drhowarddrfine (Jan 21, 2022)

JLAIP  If I'm guessing correctly, your page involves <frameset> (which is also many years obsolete) and is trying to load the index page from somewhere else. That is where the error occurs. Look into that. Your server is being accessed just fine.


----------



## jbo (Jan 21, 2022)

JLAIP said:


> And I still use a flip-phone, too. If it ain't broke.


There is nothing wrong with using a Flip-Phone I'd say. There is also nothing wrong with using "old" server Hardware. This is about software & security.



JLAIP said:


> "If it's truly Apache 1.3 then leave the host offline. Seriously."


You've now posted publicly that your site is down. Together with your username & profile picture it's easy to guess which one that is. The fact that no "usable" website is currently being served. You've disclosed publicly an internet-facing host with information regarding the software you're running (outdated Apache, outdates OS) together with the information on how to reach it. You're just asking for trouble at this point (this is not a threat). Hence the advice of SirDice to just take it offline which I assure you is in your best interest to follow.



> Look into that. Your server is being accessed just fine.


That is actually correct. The favicon is being served just fine (200).


----------



## JLAIP (Jan 21, 2022)

SirDice said:


> This isn't anything "new". We've had the Forum Rules and Guidelines (REQUIRED READING) section from the start of the forums.
> Topics about unsupported FreeBSD versions


I read the forum rules when I joined.

From the link you posted...
"...we strongly _encourage_ [my emphasis] users asking for help with these version to upgrade to a _supported_ FreeBSD version _before anything else_, because it is quite likely that your problem is actually caused by running an outdated version....If you are not at liberty to upgrade to a supported version, you may still receive a reply to your question, but you must be prepared for continuous pressure from fellow users and forums staff to upgrade to a supported version."

In this case, the "outdated version" has nothing to do with the issue I'm seeking assistance with. I reckon I'd have exactly the same problem with the current/latest kernel. But I came for help, not to argue.


----------



## SirDice (Jan 21, 2022)

jbodenmann said:


> There is also nothing wrong with using "old" server Hardware. This is about software & security.


Exactly. I have systems that are many years old (technically they've been written off a long time ago), they still work fine with a modern FreeBSD version on it. 



JLAIP said:


> In this case, the "outdated version" has nothing to do with the issue I'm seeking assistance with.


Read the next paragraph. 



> *We prefer not to encourage any further use of these unsupported versions.* If you are not at liberty to upgrade to a supported version, you may still receive a reply to your question, but *you must be prepared for continuous pressure from fellow users and forums staff to upgrade to a supported version.* Moreover, some users may not feel like participating in topics that deal with unsupported versions at all. So be prepared for a lack of replies.


----------



## JLAIP (Jan 21, 2022)

drhowarddrfine said:


> If I'm guessing correctly, your page involves <frameset> (which is also many years obsolete) and is trying to load the index page from somewhere else. That is where the error occurs. Look into that. Your server is being accessed just fine.


I appreciate the input, but that has nothing to do with the problem I'm having.


----------



## drhowarddrfine (Jan 21, 2022)

JLAIP I think that the reported error in the browser developer tools, that it can't load the frame, has everything to do with the problem you're having.


----------



## JLAIP (Jan 21, 2022)

VladiBG said:


> check the `ipfw list`
> 
> In your rc.conf you have pf_enable which is for pf firewall and also ipfilter_enabled. So check your pf rules. You are not using IPFW but ipf (IPFilter)


Whichever firewalls we're running, which of the firewall config files include the server's static IPs?


----------



## JLAIP (Jan 21, 2022)

drhowarddrfine said:


> JLAIP I think that the reported error in the browser developer tools, that it can't load the frame, has everything to do with the problem you're having.


What frame are you referring to?


----------



## drhowarddrfine (Jan 21, 2022)

```
<html><head><title>JOHNLENNONPROJECT.COM</title><meta name="keywords" content=""></head><frameset rows="100%", *" border="0" frameborder="0"><frame src="http://triumphpc.com/john-lennon-project/" name="JOHNLENNONPROJECT.COM"></frameset></html>
```


----------



## VladiBG (Jan 21, 2022)

use /etc/ipf.rules to edit the ipf set or use `ipfstat -io` to display the current input / output rules. When you are sure that the firewall is allowing the port80 traffic check the apache access log.


----------



## JLAIP (Jan 21, 2022)

drhowarddrfine said:


> ```
> <html><head><title>JOHNLENNONPROJECT.COM</title><meta name="keywords" content=""></head><frameset rows="100%", *" border="0" frameborder="0"><frame src="http://triumphpc.com/john-lennon-project/" name="JOHNLENNONPROJECT.COM"></frameset></html>
> ```


The only code on the web server that's changed between the time it last worked and now (when it doesn't) is the IP address changes made to /etc/rc.conf. Why do you think the cause of the "ERR_CONNECTION_REFUSED" is a frameset?


----------



## SirDice (Jan 21, 2022)

If firewalls are causing it I would expect to see a 'connection timed-out' error due to the firewall dropping the traffic. Connection _refused_ means you are receiving a RST in response to a SYN. In other words, the port is closed. Traffic is most likely not being dropped by a firewall. There's simply nothing listening on that port.


----------



## drhowarddrfine (Jan 21, 2022)

JLAIP said:


> The only code on the web server that's changed between the time it last worked and now (when it doesn't) is the IP address changes made to /etc/rc.conf. Why do you think the cause of the "ERR_CONNECTION_REFUSED" is a frameset?



Because both Chromium and Firefox say, "*triumphpc.com* refused to connect." It's not the frame markup. It has to do with that server and not the john lennon one.


----------



## jbo (Jan 21, 2022)

SirDice said:


> If firewalls are causing it I would expect to see a 'connection timed-out' error due to the firewall dropping the traffic. Connection _refused_ means you are receiving a RST in response to a SYN. In other words, the port is closed. Traffic is most likely not being dropped by a firewall. There's simply nothing listening on that port.


The picture showing the output of `sockstat -4 -l` posted by JLAIP earlier in this thread would suggest otherwise. Unless I am missing something there is clearly httpd listening on port 80 on all interfaces.
So unless this is some more advanced configuration with virtual networks, VMs/jails and whatnot I'd argue that we're tracking down the problem from the wrong side. This would align with what drhowarddrfine just posted.

JLAIP Is triumphpc.com served by the very same host? Or is this separate host somewhere "behind" this machine we're currently talking about?
I did notice different names showing up in the shell command input line in your pictures. However, I don't know whether that is just the currently logged in username. In case that is the hostname, I think you're not telling us the whole story here.


----------



## VladiBG (Jan 21, 2022)

Also check if you are using virtualhost config in your httpd and if it's set to serve only the old ip address you need to change the ip address there too

For example:


> <VirtualHost 192.168.1.170:80>
> ServerName mydomain.com
> DocumentRoot /var/www/html/mydomain.com/public_html
> ErrorLog /var/www/html/mydomain.com/logs/error.log
> ...



You need to change it


> <VirtualHost *:80>


OR


> <VirtualHost New_IP_Address:80>


----------



## JLAIP (Jan 21, 2022)

VladiBG said:


> Also check if you are using virtualhost config in your httpd and if it's set to serve only the old ip address you need to change the ip address there too
> For example:
> You need to change it
> OR


I don't know if the server's using virtualhost, but if the old static IP's in there, then that may be the problem.
I hate to ask, but can you give me an idea where to look for the file I'm looking for?


----------



## VladiBG (Jan 21, 2022)

apache configuration should be in /usr/local/etc/apache...
apache logs goes into /var/log

edit:
did you check the firewall if port 80 is open on the new ip address?


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> JLAIP Is triumphpc.com served by the very same host? Or is this separate host somewhere "behind" this machine we're currently talking about?
> I did notice different names showing up in the shell command input line in your pictures. However, I don't know whether that is just the currently logged in username. In case that is the hostname, I think you're not telling us the whole story here.


I'm telling you as much as I know. And, at this point, what I know isn't alot....which is why I came here.
Here's the physical layout: there are two servers—email and web. The email server has two NIC cards and is facing the modem/router. The web server has one NIC and is connected to one of the NICs in the email server.

While I've been posting here, I've also been on the phone with the ISP's tech, who just informed me that DHCP is ON in the modem/router. Shouldn't that be off?


----------



## jbo (Jan 21, 2022)

JLAIP said:


> I hate to ask, but can you give me an idea where to look for the file I'm looking for?


You could do a system wide grep to find all files listing the old IP. Something along the lines of: `grep -rnw / -e '84\.18\.59\.37'`. Replace with your old IP accordingly.



JLAIP said:


> While I've been posting here, I've also been on the phone with the ISP's tech, who just informed me that DHCP is ON in the modem/router. Shouldn't that be off?


I assume that this is referring to your router acting as a DHCP server for your local network which is usually fine as your clients might still rely on DHCP. There are exceptions of course but I'd not go down this road yet.


----------



## JLAIP (Jan 21, 2022)

VladiBG said:


> apache configuration should be in /usr/local/etc/apache...
> apache logs goes into /var/log
> 
> edit:
> did you check the firewall if port 80 is open on the new ip address?



Re the firewall: I haven't touched the firewall in ages. Our website has been working for 20+ years, so I have to presume that port 80s open.

I found /usr/local/apache1/conf/*httpd.conf*.

Is httpd.conf the file that was being referencing here...
"Also check if you are using virtualhost config in your httpd and if it's set to serve only the old ip address you need to change the ip address there too"

If so, I don't see any IPs in httpd.conf. Or is that not the correct file?


----------



## VladiBG (Jan 21, 2022)

you need to check the firewall first. If it's allowing only the old_IP:80 to be accessed you need to check it . use `ipfstat -io` or check the /etc/ipf.rules


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> You could do a system wide grep to find all files listing the old IP. Something along the lines of: `grep -rnw / -e '84\.18\.59\.37'`. Replace with your old IP accordingly.
> 
> 
> I assume that this is referring to your router acting as a DHCP server for your local network which is usually fine as your clients might still rely on DHCP. There are exceptions of course but I'd not go down this road yet.


*Re DHCP and the router:* I've got static IPs configured in /etc/rc.conf, so what is the router's DHCP supposed to be auto-configuring?

*Re grep:* I'm not sure what this is telling me?


----------



## JLAIP (Jan 21, 2022)

VladiBG said:


> you need to check the firewall first. If it's allowing only the old_IP:80 to be accessed you need to check it . use `ipfstat -io` or check the /etc/ipf.rules


What am I checking for in /etc/ipf.rules? But, again, how could the firewall suddenly block web traffic when the only changes have been to /etc/rc.conf?


----------



## SirDice (Jan 21, 2022)

JLAIP said:


> Our website has been working for 20+ years, so I have to presume that port 80s open.


Yes, but you haven't changed the IP address in all those years either. When dealing with problems, never assume anything. Check, double-check and verify. Go through _everything_ logically and methodically. Check every step of the way. Just randomly checking some things while assuming something else is correct is a good way to overlook the blindingly obvious.



JLAIP said:


> But, again, how could the firewall suddenly block web traffic when the only changes have been to /etc/rc.conf?


If the firewall is specifically configured to only allow the 'old' IP address (thus blocking traffic to the 'new' IP). Changing the IP address in rc.conf means you're going to need to change the IP _everywhere_ it has been used. And there are many places where this IP address could have been set or stored.


----------



## jbo (Jan 21, 2022)

JLAIP said:


> If so, I don't see any IPs in httpd.conf. Or is that not the correct file?


I don't think that your Apache VirtualHost configuration is the problem as previously shown output of `sockstat` shows that the Apache HTTP server is listening on all interfaces/IPs on your host.

I feel like we're repeating a lot of stuff here that was already mentioned in the first couple of posts on this topic.


----------



## covacat (Jan 21, 2022)

if your router forwards port 80 to your server and your server has a RFC1918 (192.168.x.x,10.x.x.x.,172.16.x.x)fixed address
then it's probably not your firewall but router's nat rules may have been lost
if your server has a routable ip and is configured on one interface then the isp's modem/router is in bridge mode and they are blocking you from the head office (this happens for residential/home type contracts ) not the device itself (or your firewall is blocking the connections)


----------



## JLAIP (Jan 21, 2022)

SirDice said:


> Yes, but you haven't changed the IP address in all those years either. When dealing with problems, never assume anything. Check, double-check and verify. Go through _everything_ logically and methodically. Check every step of the way. Just randomly checking some things while assuming something else is correct is a good way to overlook the blindingly obvious.


It's for that reason that I'm hesitant to muck around with anything other than the one file I changed on both servers: /etc/rc.conf.
If the modem's not the bottleneck, I kind of think there's got to be another config file(s) that contains the old IP. I checked /etc/ipf.rules, but the old IP isn't in there....and I haven't touched it between the time the server was working early this week (with the old modem/IP) and now (with the new modem/IP).


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> I don't think that your Apache VirtualHost configuration is the problem as previously shown output of `sockstat` shows that the Apache HTTP server is listening on all interfaces/IPs on your host.
> I feel like we're repeating a lot of stuff here that was already mentioned in the first couple of posts on this topic.


Yes.


----------



## SirDice (Jan 21, 2022)

Fire up tcpdump(1) (use a filter or else you might get swamped with unrelated information) on the server. Open the website on your browser. Do you see the connection actually coming in? Is there a response?


----------



## VladiBG (Jan 21, 2022)

When you ping yahoo.com and get cannot resolve means that you don't have access to the working DNS server. When you change the IPS usually you need to change the DNS servers because the old ISP limits they DNS only to they clients unless you are using some public DNS server as google's 8.8.8.8

So check if you have ping to the public DNS server by using ping 8.8.8.8
If you don't have ping to it then check if you have ping to your default gateway (router).



> What am I checking for in /etc/ipf.rules?


You check if you have your open port 80 only for your old ip address. If you see your old ip address there you need to change it.


----------



## JLAIP (Jan 21, 2022)

The tech from the ISP wants to know if I want the modem to forward port 80 to an [internal?] IP on the web server?
My understanding was that ALL ports on the modem are supposed to be open, and I'm not sure what to tell him or what IP on the server to forward to??


----------



## JLAIP (Jan 21, 2022)

SirDice said:


> Fire up tcpdump(1) (use a filter or else you might get swamped with unrelated information) on the server. Open the website on your browser. Do you see the connection actually coming in? Is there a response?


Okay, but what do you mean by "use a filter"??


----------



## JLAIP (Jan 21, 2022)

VladiBG said:


> When you ping yahoo.com and get cannot resolve means that you don't have access to the working DNS server. When you change the IPS usually you need to change the DNS servers because the old ISP limits they DNS only to they clients unless you are using some public DNS server as google's 8.8.8.8
> 
> So check if you have ping to the public DNS server by using ping 8.8.8.8
> If you don't have ping to it then check if you have ping to your default gateway (router).
> ...


ping 8.8.8.8 = no go ... 100% packet loss.

In addition to trying as many of the suggestions here, I'm also working with the ISP's tech, who's making other suggestions. I was confused already...and I haven't slept in 36 hours... So, now I'm getting host name lookup failure when attempting to ping yahoo.com from the web server. It WAS working a couple hours ago, but the ISP's tech had me make some /etc/rc.conf changes and in my haste running back and forth I forgot to make a copy of the original /etc/rc.conf. Fortunately, I'm only changing three lines and I know which they are, but I've no idea which one(s) broke the DNS connection. Ugh..


----------



## jbo (Jan 21, 2022)

JLAIP said:


> The tech from the ISP wants to know if I want the modem to forward port 80 to an [internal?] IP on the web server?


Yes, that is definitely what you want. You want your ISP modem/router to forward port 80 to the internal/local IP of your (web)server.



JLAIP said:


> Okay, but what do you mean by "use a filter"??


See the man page of tcpdump(1). It supports filter expressions so you can filter for port 80 and your server's interface/IP address to prevent being blasted by ALL the traffic on that network interface.


----------



## SirDice (Jan 21, 2022)

JLAIP said:


> Okay, but what do you mean by "use a filter"??


If you just run tcpdump(1) it's going to show _all_ network packets that go in/out that server. Most of it is not relevant for the issue at hand. So you use a filter to only capture the network packets you're interested in. In this case you're only interested in TCP traffic to port 80 of that server.


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> Yes, that is definitely what you want. You want your ISP modem/router to forward port 80 to the internal/local IP of your (web)server.
> See the man page of tcpdump(1). It supports filter expressions so you can filter for port 80 and your server's interface/IP address to prevent being blasted by ALL the traffic on that network interface.


Here's the /etc/rc.conf (the only file that's been modified on the web server). The red boxes indicate the original settings, which was working until the modem/IP change yesterday.

I'm pretty sure the currently uncommented settings are what made it possible to successfully ping yahoo.com a couple of hours ago. But since the tech's had me mucking about with those settings while he was mucking about inside the modem, pinging any outside domain returns Host name lookup failure. The defaultrouter  is set to the Gateway IP, and the Netmask is set to per the ISP. I'm not sure if either of those are correct though?


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> Yes, that is definitely what you want. You want your ISP modem/router to forward port 80 to the internal/local IP of your (web)server.


As best I can tell from /etc/rc.conf, the web server's internal IP is 10.0.0.2 (the email server is 10.0.0.1). The tech says the router can only forward to 10.1.10.1 or at least that's the number he wanted me to change the web server's /etc/rc.conf to. It was after that that I began getting the Host name lookup failure errors when attempting to ping yahoo.com.


----------



## jbo (Jan 21, 2022)

JLAIP said:


> As best I can tell from /etc/rc.conf, the web server's internal IP is 10.0.0.2 (the email server is 10.0.0.1).


The server's "internal" IP is whatever you tell it to be (usually via the corresponding `ifconfig_xxx=""` in /etc/rc.conf.



JLAIP said:


> The tech says the router can only forward to 10.1.10.1 or at least that's the number he wanted me to change the web server's /etc/rc.conf to.


If that is correct then assign that IP to your servers interface. Also make sure that the netmask is correct.
However, I'd argue that it's rather uncommon to have a .1 IP here. Usually the .1 IP would be used for the gateway of a network segment. i.e. in your case 10.1.10.1 would most likely be the IP of the router and you'd use 10.1.10.2 for the server (with corresponding netmask) but I'm not your ISP tech.



JLAIP said:


> It was after that that I began getting the Host name lookup failure errors when attempting to ping yahoo.com.


Make sure that you set the `defaultrouter` to the router's IP address.
Usually you'd also want to limit your test case to the bare minimum. Instead of name lookups simply ping a known IP address such as 8.8.8.8 (Google DNS server) which will tell you whether you can communicate with another machine "on the internet" without all the fuzz such as name lookup which might be broken for other reasons.

Please stop posting pictures. Instructions were provided many posts ago on how to properly paste information from your host.
I'm stating this out of curtesy - no other intentions: I am starting to get tired of this topic so I'll probably just opt-out. Please start to actually follow the many, many advises provided in this topic repeatedly. Other users here usually have a lower threshold on this than I do.


----------



## JLAIP (Jan 21, 2022)

jbodenmann said:


> The server's "internal" IP is whatever you tell it to be (usually via the corresponding `ifconfig_xxx=""` in /etc/rc.conf.
> 
> 
> If that is correct then assign that IP to your servers interface. Also make sure that the netmask is correct.
> ...


I apologize for any inconvenience I've caused you or other members. It wasn't intentional, but I'm not comfortable posting raw data to public systems. Again, my apologies, but I was up-front early on about my lack of experience and skillsets for alot of this....Still and again, I'm sorry if I caused anyone here any problems. I'm just trying to get our website back up with the new modem/IP.


----------



## jbo (Jan 21, 2022)

You're not being inconvenient - anybody on this forum is allowed to opt-out of any thread/topic at any time (or to not opt-in to begin with). As such, I don't think that any apology from your side is needed either. I just prefer to clearly communicate rather than just silently disappearing.

Good luck!


----------



## covacat (Jan 21, 2022)

your rc.conf seems borked (gw seems something beginning with 7
you dont set the gateway and netmask from the isp, that are set on the router itself
can you post an image with the ISP router/modem's configuration


----------



## JLAIP (Jan 21, 2022)

SirDice said:


> Fire up tcpdump(1) (use a filter or else you might get swamped with unrelated information) on the server. Open the website on your browser. Do you see the connection actually coming in? Is there a response?



tcpdump: listening on vr0
<I attempted to browse to the website via domain name and IP address>
0 packets received by filter
0 packets dropped by kernel

??


----------



## JLAIP (Jan 21, 2022)

covacat said:


> your rc.conf seems borked (gw seems something beginning with 7
> you dont set the gateway and netmask from the isp, that are set on the router itself
> can you post an image with the ISP router/modem's configuration


The ISP's tech configured the modem/router and I modded /etc/rc.conf with the IPs he gave me.

I haven't been able to get into the modem myself yet. The tech just rang to say he's coming back later to replace the modem. I don't know if he decided the modem's _borked_ or perhaps he mucked something up whilst mucking around inside it. Either way, I'll try to get a screenshot or two of the modem configuration.

In the meantime, I think I may've mucked something up myself with all my /etc/rc.conf editing/rebooting because, now, when I ping 93.137.11.164 (yahoo), I get...
ping: sendto: No route to host
I unplugged the ethernet cable running from the email server (which is connected to the modem) to the web server and tried the ping again. No route to host.
When I try to ping the web server from the email server: ping: sendto: Network is unreachable

Both servers were pinging yahoo, google, etc (and each other) successfully earlier today.

So it now looks like I'm not even getting data transmission in or out of the web server.


----------



## JLAIP (Jan 21, 2022)

For anyone still following or who may find this at a later date...
I found the /etc/hosts file on the email server (the server that's working) contains two lines referencing our OLD static IPs. So I commented-out the two lines and added two new lines with our new static IPs.

Unfortunately, after a reboot, the corrections are still there, but the change had no effect on the web server. Pinging anything external (e.g., 8.8.8.8 or yahoo.com) still produces "No route to host". I am able to ping both our IP and domain name, but since something still misconfigured within the web server, it isn't able to connect externally so attempts to browse to our website still produces a "Refused to connect" error.

The ISP's tech just replaced the modem, but no change. He suggested that I try configuring the web server for DHCP instead of static IPs, connect it directly to the modem and see if the server was then able to connect/access the Internet. It was. However, the DHCP connection overwrote the original /etc/resolv.conf. Since it now contains only incorrect ISP data that doesn't work with the other (working) email server. So I deleted the /etc/resolv.conf on the web server.

Not sure where to go now?


----------



## covacat (Jan 21, 2022)

can you draw a diagram of your network

```
like
1.2.3.5
isp-----------router 10.0.0.254
        1.2.3.6 |
                |-----mail-server (10.0.0.1)
                |
                |-----web-server (10.0.0.2)
```


----------



## JLAIP (Jan 21, 2022)

covacat said:


> can you post an image with the ISP router/modem's configuration


----------



## covacat (Jan 21, 2022)

ok, so if your mail server works and it is accessible from internet can you paste
netstat -rn from the mail server

also from the router 
gateway=>connection=>local ip config


----------



## JLAIP (Jan 21, 2022)

covacat said:


> can you draw a diagram of your network
> 
> ```
> like
> ...


I've spent the last two hours trying to modify your diagram into something decipherable, but it's not happening. I think I'd need to take a ASCII drawing course before I'll be able to produce anything useful.

I think I can explain the layout much easier..
There are two separate server PCs--one for email and the other for our website.
The email server links to the modem/router and the web server links to the email server (not the modem/router).
The email server contains two NIC cards....the first NIC links modem/router to the email server, the second NIC links email server to the web server's single NIC.
The ISP issued us five static IPs, 71.25.29.169~173.
The Gateway IP is 71.25.29.248.
The subnet mask is 255.255.255.248.
Primary DNS is 75.75.75.75 (secondary is 75.75.76.76).

Does that make sense?


----------



## covacat (Jan 22, 2022)

JLAIP said:


> I've spent the last two hours trying to modify your diagram into something decipherable, but it's not happening. I think I'd need to take a ASCII drawing course before I'll be able to produce anything useful.
> 
> I think I can explain the layout much easier..
> There are two separate server PCs--one for email and the other for our website.
> ...


and until now you had just one public ip ?
and the mail server runs ipnat / natd ?


----------



## JLAIP (Jan 22, 2022)

covacat said:


> ok, so if your mail server works and it is accessible from internet can you paste
> netstat -rn from the mail server
> 
> also from the router
> gateway=>connection=>local ip config


*Re netstat -rn:* The email server isn't browsable, it's just pingable and able to send/receive email. So I don't know how I can copy/paste the netstat output for you. That's why I've been posting photos.

*Re gateway-connection->local ip config...*


----------



## JLAIP (Jan 22, 2022)

covacat said:


> and until now you had just one public ip ?
> and the mail server runs ipnat / natd ?


For the past 20+ years, we leased a bank of five static IPs, but only one was used. That's what our website ran on. Oh, one of the old IPs was used as the gateway.
We have a bank of five new static IPs with the same plan--one to run our website on (71.25.29.170) and one as a gateway (71.25.29.174).

Sorry, the servers were setup in the late 90s and I just assisted the engineer that actually did the configuration on them. Is there a conf file I can check to find that out for you?

All I've done is replace the old IPs in /etc/rc.conf on both servers with the new IPs. Late today, I found our old IPs were in /etc/resolv.conf, so I changed those, too.
The ISP's tech suggested we try configuring the web server for DHCP, which I did via /etc/re.conf. After reboot, the web server connected to the web and I was able to ping external sources (e.g., 8.8.8.8, yahoo.com, etc.), but the DHCP overwrote the /etc/resolv.conf on the web server, so I just renamed it. Other than repeating the same steps over and over again for the past two days, I think that should bring you up to date with where things sit.

Oh, when I saw the DHCP had overwritten /etc/resolv.conf, I decided to reconfigure /etc/rc.conf back the way it was originally, but with the new IPs in place.


----------



## covacat (Jan 22, 2022)

so the mail server has one of the 71.25.29.170 and the other one is 10.0.0.1
the redirection was actually done by the mail server not by the router
you have 2 options
1. put back 10.0.0.2/24 on the http server, set gw to 10.0.0.1
see why mail server does not redirect correctly to the web server

2. unplug the cable that links the 2 servers from the mail server and plug it into the router
config another of the public ips on the http server and set the mask and gw like on the mail server
fix dns record for www if it points to the ip on which the mail server sits and point it to the ip you set on the http server


----------



## JLAIP (Jan 22, 2022)

covacat said:


> so the mail server has one of the 71.25.29.170 and the other one is 10.0.0.1
> the redirection was actually done by the mail server not by the router
> you have 2 options
> 1. put back 10.0.0.2/24 on the http server, set gw to 10.0.0.1
> ...


Option 1 _sounds_ simpler and less dangerous, but I'm not sure what 10.0.0.2/24 means (the /24 part) or how I put it back on the http server? And, if I'm reading you right, this operation isn't going solve the web server problem. Correct?

I'm really concerned about getting too far out beyond the point I can easily put things back the way I found them. So far, I've only actually changed 2-3 lines in three files, all of which was just swapping our very familiar old IPs for the new IPs. I'm worried about making changes that I won't be able to undo if/when things go wrong again.


----------



## JLAIP (Jan 22, 2022)

Is there some way to reconfigure the new modem/router to function like our previous modem/router? That way, I should just be able to swap old IP for new IP without having to risk getting beyond my understanding.

Actually, the more I think about it, because the email server DOES appear to be working properly, I'd really hesitate to make any layout changes that might kill our email again, too. This morning, I had everything except the website working--I was able to ping FROM both servers and login via SFTP, but after following the ISP tech's instructions, only the email server's working. Does that make sense?


----------



## covacat (Jan 22, 2022)

the problem does not seem to be at the router
it seems to be at the mail server which stopped forwarding http request to the http server
you can revert http server to 10.0.0.2 255.255.255.0 and gw 10.0.0.1

to test them without modifying rc.conf type
ifconfig vr0 inet 10.0.0.2/24
route add default 10.0.0.1
ping 8.8.8.8


----------



## JLAIP (Jan 22, 2022)

covacat said:


> the problem does not seem to be at the router
> it seems to be at the mail server which stopped forwarding http request to the http server
> you can revert http server to 10.0.0.2 255.255.255.0 and gw 10.0.0.1
> 
> ...


Okay, that I can do. Give me a couple of minutes...be right back.

I presume this was to be done on the (working) email server? No go.
ping: sento: Network is unreachable.

Prior to this, I was able to ping 8.8.8.8 or yahoo.com, etc.

I just tried this on the web server, but as soon as I hit the Enter key, the ping just hang....no response. It's been about a minute now..

Oops, I spoke too soon...This is on the web server..


----------



## ct85711 (Jan 22, 2022)

One thing you can do if you are worried you will forget what changes you done to a file; copy the file to a new place (like your home directory).  This way you will always have the old copy if you need to reference it later on.


----------



## JLAIP (Jan 22, 2022)

ct85711 said:


> One thing you can do if you are worried you will forget what changes you done to a file; copy the file to a new place (like your home directory).  This way you will always have the old copy if you need to reference it later on.


This morning, I had everything (except the website) working on both servers. The ISP's tech recommended some things to do--and I cp'd all the files I changed--but, somehow, by afternoon, the web server had lost its ability to ping external sources or accept sftp logins. I'm just trying not to lose more ground, at least until I have a clear path ahead that I understand. But thanks for your input. Much obliged.


----------



## JLAIP (Jan 22, 2022)

Here's the listing of IPs were were given and instructed to enter into our servers' config files. Don't these go into /etc/rc.conf? If not, where?


----------



## VladiBG (Jan 22, 2022)

Do you have access to your Comcast router configuration on (http://10.1.10.1) with "user: cusadmin / highspeed" from LAN or only your ISP is managing it?

Here is your desired configuration using Static routing on your Comcast router. Other available option is to use 1-to-1 NAT and map all public ip addresses on your Comcast router and translate them to internal private IPs

for example:
Public IP - Private IP
1-to-1NAT 71.25.29.169 - 10.1.10.169
1-to-1NAT 71.25.29.170 - 10.1.10.170

I prefer to use routing instead 1-to-1 NAT because the routing is faster than NAT

Example configuration with routing:


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Do you have access to your Comcast router configuration on (http://10.1.10.1) with "user: cusadmin / highspeed" from LAN or only your ISP is managing it?


I have access to it. Do you think the diagram you posted will fix it? If yes, how do I implement it?
Could you tell me what IP goes in which file (e.g., /etc/rc.conf, /etc/resonv.conf, etc.)?


----------



## VladiBG (Jan 22, 2022)

It's my proposal only how to set up your network topology. As i said in my previous post you can use 1-to-1 NAT _or_ DMZ with Routing as i show on the diagram.
In your first post you said that your "WWW" server is connected behind the "Mail" server and your "WWW" server doesn't have direct connection to your switch port on the router. This is usually done when you are providing some kind of software routing on your "Mail" server.


JLAIP said:


> I have access to it.


To check how is your modem/router configured. Log in into it then navigate to "NAT" page and see if there's any 1-to-1 configuration there.

Then if you have some Laptop for the test connect it to the modem/router on the switch port and set the following IP address on the laptop to test if it's able to ping the modem and if it's have internet access with the following config. This will show you if your modem/router is configured properly.

First test on the laptop:
Set it to use LAN segment network via DHCP or manually configured IP


> IP: 10.1.10.99
> Mask: 255.255.255.0
> Gateway: 10.1.10.1
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76



Then ping gateway (modem/router) ip address
`ping 10.1.10.1`

Test ping to the public DNS at 8.8.8.8 to check if's able to reach it
`ping 8.8.8.8`

Test ping to the ISP DNS at 75.75.75.75
`ping 75.75.75.75`

Test the DNS resolve by pinging google.com or yahoo.com
`ping google.com
ping yahoo.com`

----
Second test on the laptop:
Set the static ip address from the provided public IP's network
Make sure that it's not confecting with your Gateway, Mail server or Web server IP addresses. If your Mail server or web server have 71.25.29.173 then choose some other FREE  ip from 71.25.29.169-173. Your router/gateway is at 174 so don't use it.


> IP: 71.25.29.173
> Mask: 255.255.255.248
> Gateway 71.25.29.174
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76



Then ping the gateway (modem/router) ip address
`ping 71.25.29.174`

Test the ping to some internet host for example 8.8.8.8
`ping 8.8.8.8`

Test ping to the ISP DNS
`ping 75.75.75.75`

Test the DNS resolve
`ping google.com
ping yahoo.com`

-----


> Could you tell me what IP goes in which file (e.g., /etc/rc.conf, /etc/resonv.conf, etc.)?


For resolve.conf you need to use your ISP DNS addresses 75.75.75.75 and 75.75.76.76 if your ISP is not blocking public DNS you can also add 8.8.8.8 and 8.8.4.4 (google DNS) 

For rc.conf it's depend which configuration you want to archive. 
You can use your private LAN network 10.1.10.0/24 but you need to reduce the DHCP range configuration on your router from 10.1.10.2-10.1.10.100 or reserve some IP from the LAN for your www and mail server OR use some IP outside the DHCP range so they are not conflicting with other devices in the network.
For example if you go for this configuration then you will need to configure 1-to-1 NAT on your comcast router/modem and set it as this
Comcast router
LAN DHCP range for personal computers/laptop
DHCP range 10.1.10.2-10.1.10.100

1-to-1 NAT
Public IP - Private IP
71.25.29.169 - 10.1.10.169 (mail)
71.25.29.170 - 10.1.10.170 (www)

10.1.10.101-254 outside the DHCP range for static configured devices (AP, Network switches, Server, Printers and so on)
www server


> IP: 10.1.10.170
> Mask 255.255.255.0
> Gateway: 10.1.10.1
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76



mail server


> IP: 10.1.10.169
> Mask 255.255.255.0
> Gateway: 10.1.10.1
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76



Note: you will need to reconfigure your WWW and Mail server services to reflect the new private IPs.


Option 2:
Set up your public IP addresses directly on your WWW and Mail server
www server


> ip: 71.25.29.170
> mask: 255.255.255.248
> Gateway: 71.25.29.174
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76



mail server


> ip: 71.25.29.169
> mask: 255.255.255.248
> Gateway: 71.25.29.174
> DNS1: 75.75.75.75
> DNS2: 75.75.76.76


----------



## covacat (Jan 22, 2022)

from what i understood and seen in the previous config is that the webserver is not connected to the router but the mail server
his net is like 
i

```
71.25.29.174     71.25.29.170     
internet-------comcastbox-------mailserver
                                    |
                                    |10.0.0.0/24
                                   webserver
```
so nat on the mailserver broke
mailserver 25 actually works


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> It's my proposal only how to set up your network topology. As i said in my previous post you can use 1-to-1 NAT _or_ DMZ with Routing as i show on the diagram.
> In your first post you said that your "WWW" server is connected behind the "Mail" server and your "WWW" server doesn't have direct connection to your switch port on the router. This is usually done when you are providing some kind of software routing on your "Mail" server.
> 
> To check how is your modem/router configured. Log in into it then navigate to "NAT" page and see if there's any 1-to-1 configuration there.
> ...


By the way, this is outstanding! We'll need to talk via PM later, but, yes, the www (web) server is connected to the second NIC in the mx (mail) server. That is, the www server is NOT directly connected to the modem/router. This is the way the system has been configured.


----------



## JLAIP (Jan 22, 2022)

covacat said:


> from what i understood and seen in the previous config is that the webserver is not connected to the router but the mail server
> his net is like
> i
> 
> ...


Sorry, I mucked my last post up. Got it backwards. I've been up for 38 hours working on this...

Router-to-mx server, mx server-to-www server.
mx server IS working (can send/receive email and login via sftp), www server is not (cannot access our website or login via sftp).


----------



## covacat (Jan 22, 2022)

you need to log in on the mailserver and provide some info
like arp tables, routing tables, startup config, firewall/nat type


----------



## VladiBG (Jan 22, 2022)

Ok so your web server is NATed behind your mail server in network 10.0.0.0/24 and it's connected on your mail server dc1 interface and share the same public ip address 71.25.29.170.

Can you provide your firewall configuration on your mail server to verify that 10.0.0.2 80 to 71.25.29.170 80 NAT is set up there?
Show the content of /etc/ipnat.conf from your mail server which act as router.


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Ok so your web server is NATed behind your mail server in network 10.0.0.0/24 and it's connected on your mail server dc1 interface and share the same public ip address 71.25.29.170.
> 
> Can you provide your firewall configuration on your mail server to verify that 10.0.0.2 to 71.25.29.170:80 NAT is set up there?
> Show the content of ipnat.conf


Sorry, I'm out of my depths here and confused, so I need to take this slow. Plus, freebsg.org is running very slow at my end.
I'm not sure about the 10.0.0.0/24 (I'm not clear on the /24 part?) or whether it's NATed, but, yes, the web server is behind the web server and both SHOULD BE using 71.25.19.170.

Where should ipnat.conf be? I looked in /etc, but it's not there.


----------



## covacat (Jan 22, 2022)

10.0.0.0/24 means an ip like 10.0.0.x with a 255.255.255.0 netmask
anyway the "key" looks to be on the mailserver


----------



## VladiBG (Jan 22, 2022)

Show the list of current NAT table entry mappings using `ipnat -l`

check if you have it here
/etc/ipf/ipnat.conf
/usr/local/etc/ipnat.conf
/usr/local/etc/ipf/ipnat.conf

Or ipnat.rules


Which version of FreeBSD are you using on the mail server?

Show the content of /etc/ipf.rules

Check if you have ipf.conf


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Show the list of current NAT table entry mappings using `ipnat -l`
> check if you have it here
> /etc/ipf/ipnat.conf
> /usr/local/etc/ipnat.conf
> ...


Mail server's running v6.3


----------



## VladiBG (Jan 22, 2022)

66.166.191.10 is this your OLD IP address?
Check if you have ipnat.rules and edit it to reflect your NEW IP address.



> Mail server's running v6.3


After you fix this IP address transition you *MUST *upgrade your server ASAP. Also ask the moderator to delete this topic after you resolve your current situation.


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Show the list of current NAT table entry mappings using `ipnat -l`
> 
> check if you have it here
> /etc/ipf/ipnat.conf
> ...


Output of ipnat -l is below. Here is /etc/ipf.rules...
# Begin ipf ruleset
#
# outside interface = vr0
# inside interface  = dc0
#
# Allow localhost traffic over the lo0 interface
#
pass in quick on lo0 from any to any
pass out quick on lo0 from any to any
#
# Block RFC-1918 and similar type spoof attempts
#
block in log quick on vr0 from 192.168.0.0/16 to any
block in log quick on vr0 from 172.16.0.0/12 to any
block in log quick on vr0 from 10.0.0.0/8 to any
block in log quick on vr0 from 127.0.0.0/8 to any
block in log quick on vr0 from 0.0.0.0/8 to any
block in log quick on vr0 from 169.254.0.0/16 to any
block in log quick on vr0 from 192.0.2.0/24 to any
block in log quick on vr0 from 204.152.64.0/23 to any
block in log quick on vr0 from 224.0.0.0/3 to any
#
# Allow traffic for DNS, web, and mail services
# Following 2 lines allow Ralph in
# pass in quick from 24.97.145.202/32 to any keep state
# pass out quick from any to 24.97.145.202/32 keep state
pass in quick proto tcp/udp from any to any port = domain keep state
pass out quick proto tcp/udp from any port = domain to any keep state
pass in quick proto tcp from any to 10.0.0.2/32 port = http keep state
pass out quick on dc0 proto tcp from any to 10.0.0.2/32 port = http keep state
pass in quick proto tcp from any to 10.0.0.2/32 port = https keep state
pass in quick proto tcp from any to any port = smtp keep state
pass in quick proto tcp from any to 64.36.56.98/32 port = pop3 keep state
pass in quick proto tcp from any to 64.36.56.98/32 port = imap keep state
#
# Allow ssh connections from selected outside hosts
#
#pass in quick on vr0 proto tcp from 69.205.50.120/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from any to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 69.251.190.98/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 68.32.116.93/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 68.32.119.76/32 to any port = ssh flags S keep state
#
# Allow ping and traceroute from selected hosts
#
#pass in quick on vr0 proto icmp from 69.205.50.120/32 to any keep state
pass in quick on vr0 proto icmp from any to any keep state
#pass in quick on vr0 proto icmp from 69.251.190.98/32 to any keep state
#pass in quick on vr0 proto icmp from 68.32.119.76/32 to any keep state
#
# Allow inside hosts to initiate connections to the outside and receive replies
#
pass in quick on dc0 from any to any keep state
pass out quick on vr0 from any to any keep state
#
# Block and log unwanted tcp udp and icmp connections
# Send tcp reset or host unreachable instead of nothing
#
block return-rst in log quick on vr0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on vr0 proto udp from any to any
block return-icmp-as-dest(port-unr) in log quick on vr0 proto icmp from any to any
#
# Block and log everything else
#
block in log quick all 
block out log quick all
#
# End ipf ruleset


----------



## VladiBG (Jan 22, 2022)

Edit your ipnat configuration and change the 66.166.191.10 to 71.25.29.170

Then clear your current table using`ipnat -C` and load your new configuration using `ipnat -f /etc/ipnat.rules` or whatever is your ipnat.rules/ipnat.conf located

Then check again your NAT table using `ipnat -l`


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> 66.166.191.10 is this your OLD IP address?
> Check if you have ipnat.rules and edit it to reflect your NEW IP address.
> 
> 
> After you fix this IP address transition you *MUST *upgrade your server ASAP. Also ask the moderator to delete this topic after you resolve your current situation.


I've updated /etc/ipnat.rules with the new IPs and rebooted the mail server. It's still working, but no change on the www server. Ping to 8.8.8.8 or yahoo.com returns:
ping: sendto: No route to host


----------



## VladiBG (Jan 22, 2022)

Show the output on your www server of the following commands
`netstat -rn`
`ifconfig`
`more /etc/resolve.conf`


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Edit your ipnat configuration and change the 66.166.191.10 to 71.25.29.170
> 
> Then clear your current table using`ipnat -C` and load your new configuration using `ipnat -f /etc/ipnat.rules` or whatever is your ipnat.rules/ipnat.conf located
> 
> Then check again your NAT table using `ipnat -l`


That looks better!


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Show the output on your www server of the following commands
> `netstat -rn`
> `ifconfig`
> `more /etc/resolve.conf`


----------



## covacat (Jan 22, 2022)

mailserver looks ok, show the stuff on www server


----------



## VladiBG (Jan 22, 2022)

From your web server, not on the mailserver.
The DNS address in your resolve.conf on all server must be 75.75.75.75 and 75.75.76.76
So change your resolve.conf on both www server and mail server.
nameserver 192.6.1.5
nameserver 192.6.1.6
nameserver 75.75.75.75
nameserver 75.75.76.76


----------



## JLAIP (Jan 22, 2022)

covacat said:


> mailserver looks ok, show the stuff on www server


Here's the /etc/rc.conf on the www server. I suspect the www server's ping problems stem from there.
The lines in the red box that are all I've dabbled with on the www server.


----------



## covacat (Jan 22, 2022)

change defaultrouter to 10.0.0.1


----------



## VladiBG (Jan 22, 2022)

Change the default gateway on your www server to be
in your rc.conf


> ifconfig_vr0="inet 10.0.0.2 netmask 255.255.255.0"
> defaultrouter="10.0.0.1"



to avoid restarting you can set it directly using (don't forget to change it also in rc.conf so next time it's rebooted it's stay )


> ifconfig vr0 inet 10.0.0.2 255.255.255.0
> route add default 10.0.0.1



For resolve.conf also change the DNS addresses there.
Unfortunately resolvconf command came from FreeBSD 9 so you have to reload the named instead using resolvconf -u to update the DNS.


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> From your web server, not on the mailserver.
> The DNS address in your resolve.conf on all server must be 75.75.75.75 and 75.75.76.76
> So change your resolve.conf on both www server and mail server.
> nameserver 192.6.1.5
> ...


Here are the /etc/resolv.conf from both servers. Should I ADD the two nameserver lines to what is currently there or delete what is there and have only the two new nameserver lines in each resolv.conf? fyi: the 4.6 is the www and the 4.10 is the mx.


----------



## covacat (Jan 22, 2022)

it works!


----------



## VladiBG (Jan 22, 2022)

Change only the nameservers from
198.6.1.5 to 75.75.75.75
and
192.6.1.6 to 75.75.76.76

Then reload named and test if you have have DNS working by ping google.com or ping yahoo.com


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Change the default gateway on your www server to be
> in your rc.conf
> to avoid restarting you can set it directly using (don't forget to change it also in rc.conf so next time it's rebooted it's stay )
> For resolve.conf also change the DNS addresses there.
> Unfortunately resolvconf command came from FreeBSD 9 so you have to reload the named instead using resolvconf -u to update the DNS.


Bingo!
Just rebooted and we're back online. I need to run through all of our scripts and partner websites, but I think you got it. The Beatle people thank you, covacat and all of the TRUE experts here!
VladiBG: Can I message you?


----------



## VladiBG (Jan 22, 2022)

Contact Forum moderator and ask him politely  to delete this forum thread as you are running very old version and you shared sensitive information here.
Also upgrade your server asap. If you are unable to do it by yourself i recommend to change both mail server and web server to some hosting company and migrate your web site and mail hosting there instead of maintain the risky old version of your current servers.


----------



## JLAIP (Jan 22, 2022)

VladiBG said:


> Change only the nameservers from
> 198.6.1.5 to 75.75.75.75
> and
> 192.6.1.6 to 75.75.76.76
> ...


----------



## JLAIP (Jan 22, 2022)

Thank you ALL for your kind help and talented expertise! It would have taken me several weeks (ask me how I know....on second thought, don't ask....I'd rather not think about it) to get all of this sorted out myself.

Moderator: Again, my apologies for all the ignorant questions and for any inconvenience they may've caused members. I messaged you, but please delete this thread. Thanks again!


----------

