Solved Network behaviour since upgrade to 10.1

Hi there, this is an odd one. I have a server with two NICs configured as a router running PF.

On this machine I host an Apache 2.4 web server and Postfix/Dovecot. It has been rock solid on 10.0. Since upgrading to 10.1 I can't access the webserver or mail system from the internal network, though it's still working perfectly from outside the network.

I haven't changed any configuration files at all and was just wondering if there was a simple fix before looking into NAT reflection. Would 10.1 have changed this behaviour? Is there another way I might debug the problem?

Many thanks!
 
It might just be a timing thing. On one recent upgrade, my NAT rule had to be modified from this:
Code:
nat on $ext_if from $internal_net to any -> $ext_if
to this:
Code:
nat on $ext_if from $internal_net to any -> ($ext_if)

From pf.conf(5):
When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat.

That was needed because the interface was not up by the time PF started.
 
It might just be a timing thing. On one recent upgrade, my NAT rule had to be modified from this:
Code:
nat on $ext_if from $internal_net to any -> $ext_if
to this:
Code:
nat on $ext_if from $internal_net to any -> ($ext_if)

From pf.conf(5):


That was needed because the interface was not up by the time PF started.

Many thanks - learned something too :) I did have the following line:

Code:
nat on $ext_if from $lan_if:network to any -> ($ext_if)

With the :network qualifier, but I'll try it without.
 
Without :network, all access was blocked. I checked my NAT rule, but it's the same as the one you suggested and I still can't access the internal server with he external DNS :(
 
You mean that the internal network cannot get to the web server by using the external IP address of the web server? That does not sound like a firewall problem, but rather DNS (possibly split DNS needed) or routing.
 
Yes, I should explain. The setup is as follows...

Code:
modem (public IP)
|
|
bce0 ---------- bce1
ext_if. . . . . lan_if
192.168.1.2 . . 172.17.3.1

The server is running Apache (80/444), Dovecot (993), Postfix (25), DHCP (on bce1) and Unbound. Prior to the upgrade from 10.0 to 10.1, from any client on the LAN (172.17.3.0) I could access my web-server at gallopinggreen.com (public IP). Since the upgrade, I cannot see it, or the other services from the LAN, though everything is working externally as before (i.e., via 3G from my phone or another external client).

Scratching my head on this, because nothing has changed in terms of the setup so I think the upgrade may have introduced something?
 
Does DNS for the site resolve correctly inside the LAN? What happens if you try to ping the server's address?
 
Yes, it resolves, but when I ping it returns nothing and if I telnet [web server] 80 it simply times out. I'm going to spend some time on the pf rules to see if my problem lies there!
 
OMG, so I just issued a pfctl -F all -f /etc/pf.conf and everything worked again. I guess the firewall state must have gotten borked as part of the upgrade! I feel like a dope right now, but I do appreciate the help that prodded me in the right direction! This forum rocks!
 
Back
Top