[Solved] No Route to Host Error

JasonB · #1 May 14th, 2009, 16:26

Hi there, newbie here.

I am running an Apache 2.2 webserver on my FreeBSD machine, which is part of a home network, connected to a Netgear router. I have port 80 forwarded from my router, to my FreeBSD machine to accept HTTP requests.

I am able to connect to my Apache server from within the network, using a web browser and my internal address, as well as my WAN address, and my Domain name. I cannot connect from anywhere outside of the home network though or I get a (113) No route to host error.

I just purchased the domain yesterday. Pings from inside of the network are ok. Traceroutes fail before the first hop:

traceroute to www.mydomain.com (xxx.xx.xx.xxx), 64 hops max, 40 byte packets

1) * * * *
2) * * * *
3) * * * * etc.

I was just wondering if anyone could shed some light on how to troubleshoot this more? I'm trying to figure out if it is an Apache configuration issue, a firewall somewhere, maybe a DNS resolution issue since the Domain Name is so new...?

I'm pretty new to BSD so I'm not sure of all the tools I may have at my disposal to narrow this down. I am running an nmap scan right now, but after that I think I'm out of ideas.

**DutchDaemon** · #2 May 14th, 2009, 16:41

You bought the domain yesterday? That sounds like a DNS resolving matter first of all. If you have query access to any outside DNS server (like your ISP's), try

dig @dns.server A www.mydomain.com

and see if it resolves.

**SirDice** · #3 May 14th, 2009, 16:54

See if you can traceroute and/or connect to the apache webserver from outside using your IP address. If that works your setup is correct and it's a name resolving issue. New domains (or changes to them) do take some time to propagate.

JasonB · #4 May 14th, 2009, 18:09

Thanks for the replies.

I did a

]# dig@dns.com A mydomain.com

and it correctly resolved to the WAN address of my router. Also, typing in the WAN address directly in an out of network browser, or proxy server gets me the "no route to host" or "couldn't connect to host" error as well.

I'm still able to connect to both my domain, and WAN address from local computers though.

**DutchDaemon** · #5 May 14th, 2009, 19:02

'No route to host' is not a good one ... any chance your ISP filters server ports? If you want me to take a look at it with some diagnostic tools, PM me with the hostname and IP-address.

**SirDice** · #6 May 14th, 2009, 19:10

Quote:

Originally Posted by JasonB

I did a

]# dig@dns.com A mydomain.com

and it correctly resolved to the WAN address of my router. Also, typing in the WAN address directly in an out of network browser, or proxy server gets me the "no route to host" or "couldn't connect to host" error as well.

I'm still able to connect to both my domain, and WAN address from local computers though.

Ok. So name resolving isn't the issue. It's a routing issue. How's your router setup? What kind of public address do you have, a range or a single address? Is your ISP aware of your range/address? Do they route your address(es) correctly to you? Are you able to verify packets are actually arriving at your router?

**DutchDaemon** · #7 May 14th, 2009, 20:17

Jason PM'ed me his hostname and IP address, and the outcome is crystal clear: a tcp-traceroute to port 80 ends on a router in his ISP's network and the result carries the "!A" flag:

Code:

       !A (communication with  destination  network  administra-
       tively prohibited)

When running Wireshark, a visit to the website is greeted with:

Code:

151	21:15:21.117501	(destination ip)	(source ip)	ICMP	Destination unreachable (Communication administratively filtered)

The ISP is unequivocally filtering port 80.

Sorry, Jason ..

JasonB · #8 May 14th, 2009, 20:18

Quote:

Originally Posted by SirDice

Ok. So name resolving isn't the issue. It's a routing issue. How's your router setup? What kind of public address do you have, a range or a single address? Is your ISP aware of your range/address? Do they route your address(es) correctly to you? Are you able to verify packets are actually arriving at your router?

Right now my router is set up to forward incoming requests on port 80 to my FreeBSD machine. Yesterday, I disabled everything I could think of in the router settings including the Firewall, and changing NAT from secure to open. It is also setup to get it's IP, and DNS address dynamically from the ISP (they did not offer static addresses when I called).

I live in an apartment complex which I think has a hub for the entire complex. Doing a traceroute to Google gives me:

1) 192.168.1.1
2) 10.203.72.1

If I'm not mistaken those are both local addresses a packet passes through before getting to an outside IP address on the 3rd stop.

I believe I have just a single address I'm assigned, and I'm not entirely sure how I can verify if packets are arriving at my router. Is there a way to check this?

Thanks.

JasonB · #9 May 14th, 2009, 20:22

Quote:

Originally Posted by DutchDaemon

Jason PM'ed me his hostname and IP address, and the outcome is crystal clear: a tcp-traceroute to port 80 ends on a router in his ISP's network and the result carries the "!A" flag:

Code:

       !A (communication with  destination  network  administra-
       tively prohibited)

When running Wireshark, a visit to the website is greeted with:

Code:

151	21:15:21.117501	(destination ip)	(source ip)	ICMP	Destination unreachable (Communication administratively filtered)

The ISP is unequivocally filtering port 80.

Sorry, Jason ..

Lol, yeah no problem. Thanks for looking into this for me.

I just graduated so I was going to try and impress employers by hosting some websites on my own server. If they base it on charm and good looks, I have no chance.

I will just find a regular host to put them on until we get out of this apartment.

Thanks again.

**DutchDaemon** · #10 May 14th, 2009, 20:31

Sure thing. I did some further tracing: they're specifically blocking ports 25 and 80. It looks like 21 (ftp), 22 (ssh), 110 (pop3), 143 (imap) are all allowed. You could easily host your site on a port like 81 or 1080, but it makes your URL look weird, of course.

**SirDice** · #11 May 14th, 2009, 20:55

Quote:

Originally Posted by JasonB

I live in an apartment complex which I think has a hub for the entire complex. Doing a traceroute to Google gives me:

1) 192.168.1.1
2) 10.203.72.1

If I'm not mistaken those are both local addresses a packet passes through before getting to an outside IP address on the 3rd stop.

Hmm.. I'm assuming 192.168.1.1 is your router? If so there's probably another NAT happening at the 10.0.0.0/8 network. This might be the ISP. To get anything connected from the outside the ports would need to be redirected there too. But this would need involvement from the ISP. Usually they're not too helpful with this.

Quote:

I believe I have just a single address I'm assigned, and I'm not entirely sure how I can verify if packets are arriving at my router. Is there a way to check this?

tcpdump(1) and net/wireshark are the tools for the job. You probably can't run those on your router (unless it runs linux or bsd

) but you can run it on your server.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] ppp, host route entry via tun interface	rsg7	Networking	10	April 13th, 2010 07:51
[Solved] No Route to Host	bamcis	Networking	8	February 11th, 2010 21:46
More than one default route	bgpn00b	Networking	5	February 4th, 2010 13:30
openVPN client add route error	marino	Networking	16	November 25th, 2009 10:37
Multiple jails on host... How to get each host network usage	gigikent2000	Networking	7	August 14th, 2009 12:44

The Following User Says Thank You to DutchDaemon For This Useful Post:
JasonB (May 14th, 2009)