Changed Web Server Static IP, then ERR_CONNECTION_REFUSED

the problem does not seem to be at the router
it seems to be at the mail server which stopped forwarding http request to the http server
you can revert http server to 10.0.0.2 255.255.255.0 and gw 10.0.0.1

to test them without modifying rc.conf type
ifconfig vr0 inet 10.0.0.2/24
route add default 10.0.0.1
ping 8.8.8.8
 
OP
JLAIP
the problem does not seem to be at the router
it seems to be at the mail server which stopped forwarding http request to the http server
you can revert http server to 10.0.0.2 255.255.255.0 and gw 10.0.0.1

to test them without modifying rc.conf type
ifconfig vr0 inet 10.0.0.2/24
route add default 10.0.0.1
ping 8.8.8.8
Okay, that I can do. Give me a couple of minutes...be right back.

I presume this was to be done on the (working) email server? No go.
ping: sento: Network is unreachable.

Prior to this, I was able to ping 8.8.8.8 or yahoo.com, etc.

I just tried this on the web server, but as soon as I hit the Enter key, the ping just hang....no response. It's been about a minute now..

Oops, I spoke too soon...This is on the web server..
 

Attachments

  • modem 012.jpg
    modem 012.jpg
    102.1 KB · Views: 26
One thing you can do if you are worried you will forget what changes you done to a file; copy the file to a new place (like your home directory). This way you will always have the old copy if you need to reference it later on.
 
OP
JLAIP
One thing you can do if you are worried you will forget what changes you done to a file; copy the file to a new place (like your home directory). This way you will always have the old copy if you need to reference it later on.
This morning, I had everything (except the website) working on both servers. The ISP's tech recommended some things to do--and I cp'd all the files I changed--but, somehow, by afternoon, the web server had lost its ability to ping external sources or accept sftp logins. I'm just trying not to lose more ground, at least until I have a clear path ahead that I understand. But thanks for your input. Much obliged.
 
OP
JLAIP
Here's the listing of IPs were were given and instructed to enter into our servers' config files. Don't these go into /etc/rc.conf? If not, where?
 

Attachments

  • ips.jpg
    ips.jpg
    86 KB · Views: 24
Do you have access to your Comcast router configuration on (http://10.1.10.1) with "user: cusadmin / highspeed" from LAN or only your ISP is managing it?

Here is your desired configuration using Static routing on your Comcast router. Other available option is to use 1-to-1 NAT and map all public ip addresses on your Comcast router and translate them to internal private IPs

for example:
Public IP - Private IP
1-to-1NAT 71.25.29.169 - 10.1.10.169
1-to-1NAT 71.25.29.170 - 10.1.10.170

I prefer to use routing instead 1-to-1 NAT because the routing is faster than NAT

Example configuration with routing:

Example Diagram (1).png
 
OP
JLAIP
Do you have access to your Comcast router configuration on (http://10.1.10.1) with "user: cusadmin / highspeed" from LAN or only your ISP is managing it?
I have access to it. Do you think the diagram you posted will fix it? If yes, how do I implement it?
Could you tell me what IP goes in which file (e.g., /etc/rc.conf, /etc/resonv.conf, etc.)?
 
It's my proposal only how to set up your network topology. As i said in my previous post you can use 1-to-1 NAT _or_ DMZ with Routing as i show on the diagram.
In your first post you said that your "WWW" server is connected behind the "Mail" server and your "WWW" server doesn't have direct connection to your switch port on the router. This is usually done when you are providing some kind of software routing on your "Mail" server.
I have access to it.
To check how is your modem/router configured. Log in into it then navigate to "NAT" page and see if there's any 1-to-1 configuration there.

Then if you have some Laptop for the test connect it to the modem/router on the switch port and set the following IP address on the laptop to test if it's able to ping the modem and if it's have internet access with the following config. This will show you if your modem/router is configured properly.

First test on the laptop:
Set it to use LAN segment network via DHCP or manually configured IP
IP: 10.1.10.99
Mask: 255.255.255.0
Gateway: 10.1.10.1
DNS1: 75.75.75.75
DNS2: 75.75.76.76

Then ping gateway (modem/router) ip address
ping 10.1.10.1

Test ping to the public DNS at 8.8.8.8 to check if's able to reach it
ping 8.8.8.8

Test ping to the ISP DNS at 75.75.75.75
ping 75.75.75.75

Test the DNS resolve by pinging google.com or yahoo.com
ping google.com
ping yahoo.com


----
Second test on the laptop:
Set the static ip address from the provided public IP's network
Make sure that it's not confecting with your Gateway, Mail server or Web server IP addresses. If your Mail server or web server have 71.25.29.173 then choose some other FREE ip from 71.25.29.169-173. Your router/gateway is at 174 so don't use it.
IP: 71.25.29.173
Mask: 255.255.255.248
Gateway 71.25.29.174
DNS1: 75.75.75.75
DNS2: 75.75.76.76

Then ping the gateway (modem/router) ip address
ping 71.25.29.174

Test the ping to some internet host for example 8.8.8.8
ping 8.8.8.8

Test ping to the ISP DNS
ping 75.75.75.75

Test the DNS resolve
ping google.com
ping yahoo.com


-----
Could you tell me what IP goes in which file (e.g., /etc/rc.conf, /etc/resonv.conf, etc.)?
For resolve.conf you need to use your ISP DNS addresses 75.75.75.75 and 75.75.76.76 if your ISP is not blocking public DNS you can also add 8.8.8.8 and 8.8.4.4 (google DNS)

For rc.conf it's depend which configuration you want to archive.
You can use your private LAN network 10.1.10.0/24 but you need to reduce the DHCP range configuration on your router from 10.1.10.2-10.1.10.100 or reserve some IP from the LAN for your www and mail server OR use some IP outside the DHCP range so they are not conflicting with other devices in the network.
For example if you go for this configuration then you will need to configure 1-to-1 NAT on your comcast router/modem and set it as this
Comcast router
LAN DHCP range for personal computers/laptop
DHCP range 10.1.10.2-10.1.10.100

1-to-1 NAT
Public IP - Private IP
71.25.29.169 - 10.1.10.169 (mail)
71.25.29.170 - 10.1.10.170 (www)

10.1.10.101-254 outside the DHCP range for static configured devices (AP, Network switches, Server, Printers and so on)
www server
IP: 10.1.10.170
Mask 255.255.255.0
Gateway: 10.1.10.1
DNS1: 75.75.75.75
DNS2: 75.75.76.76

mail server
IP: 10.1.10.169
Mask 255.255.255.0
Gateway: 10.1.10.1
DNS1: 75.75.75.75
DNS2: 75.75.76.76

Note: you will need to reconfigure your WWW and Mail server services to reflect the new private IPs.


Option 2:
Set up your public IP addresses directly on your WWW and Mail server
www server
ip: 71.25.29.170
mask: 255.255.255.248
Gateway: 71.25.29.174
DNS1: 75.75.75.75
DNS2: 75.75.76.76

mail server
ip: 71.25.29.169
mask: 255.255.255.248
Gateway: 71.25.29.174
DNS1: 75.75.75.75
DNS2: 75.75.76.76
 
from what i understood and seen in the previous config is that the webserver is not connected to the router but the mail server
his net is like
i
Code:
              71.25.29.174     71.25.29.170     
internet-------comcastbox-------mailserver
                                    |
                                    |10.0.0.0/24
                                   webserver
so nat on the mailserver broke
mailserver 25 actually works
 
OP
JLAIP
It's my proposal only how to set up your network topology. As i said in my previous post you can use 1-to-1 NAT _or_ DMZ with Routing as i show on the diagram.
In your first post you said that your "WWW" server is connected behind the "Mail" server and your "WWW" server doesn't have direct connection to your switch port on the router. This is usually done when you are providing some kind of software routing on your "Mail" server.

To check how is your modem/router configured. Log in into it then navigate to "NAT" page and see if there's any 1-to-1 configuration there.

Then if you have some Laptop for the test connect it to the modem/router on the switch port and set the following IP address on the laptop to test if it's able to ping the modem and if it's have internet access with the following config. This will show you if your modem/router is configured properly.

First test on the laptop:
Set it to use LAN segment network via DHCP or manually configured IP


Then ping gateway (modem/router) ip address
ping 10.1.10.1

Test ping to the public DNS at 8.8.8.8 to check if's able to reach it
ping 8.8.8.8

Test ping to the ISP DNS at 75.75.75.75
ping 75.75.75.75

Test the DNS resolve by pinging google.com or yahoo.com
ping google.com
ping yahoo.com


----
Second test on the laptop:
Set the static ip address from the provided public IP's network
Make sure that it's not confecting with your Gateway, Mail server or Web server IP addresses. If your Mail server or web server have 71.25.29.173 then choose some other FREE ip from 71.25.29.169-173. Your router/gateway is at 174 so don't use it.


Then ping the gateway (modem/router) ip address
ping 71.25.29.174

Test the ping to some internet host for example 8.8.8.8
ping 8.8.8.8

Test ping to the ISP DNS
ping 75.75.75.75

Test the DNS resolve
ping google.com
ping yahoo.com
By the way, this is outstanding! We'll need to talk via PM later, but, yes, the www (web) server is connected to the second NIC in the mx (mail) server. That is, the www server is NOT directly connected to the modem/router. This is the way the system has been configured.
 
OP
JLAIP
from what i understood and seen in the previous config is that the webserver is not connected to the router but the mail server
his net is like
i
Code:
              71.25.29.174     71.25.29.170   
internet-------comcastbox-------mailserver
                                    |
                                    |10.0.0.0/24
                                   webserver
so nat on the mailserver broke
mailserver 25 actually works
Sorry, I mucked my last post up. Got it backwards. I've been up for 38 hours working on this...

Router-to-mx server, mx server-to-www server.
mx server IS working (can send/receive email and login via sftp), www server is not (cannot access our website or login via sftp).
 
you need to log in on the mailserver and provide some info
like arp tables, routing tables, startup config, firewall/nat type
 
Ok so your web server is NATed behind your mail server in network 10.0.0.0/24 and it's connected on your mail server dc1 interface and share the same public ip address 71.25.29.170.

Can you provide your firewall configuration on your mail server to verify that 10.0.0.2 80 to 71.25.29.170 80 NAT is set up there?
Show the content of /etc/ipnat.conf from your mail server which act as router.
 
OP
JLAIP
Ok so your web server is NATed behind your mail server in network 10.0.0.0/24 and it's connected on your mail server dc1 interface and share the same public ip address 71.25.29.170.

Can you provide your firewall configuration on your mail server to verify that 10.0.0.2 to 71.25.29.170:80 NAT is set up there?
Show the content of ipnat.conf
Sorry, I'm out of my depths here and confused, so I need to take this slow. Plus, freebsg.org is running very slow at my end.
I'm not sure about the 10.0.0.0/24 (I'm not clear on the /24 part?) or whether it's NATed, but, yes, the web server is behind the web server and both SHOULD BE using 71.25.19.170.

Where should ipnat.conf be? I looked in /etc, but it's not there.
 
10.0.0.0/24 means an ip like 10.0.0.x with a 255.255.255.0 netmask
anyway the "key" looks to be on the mailserver
 
Show the list of current NAT table entry mappings using ipnat -l

check if you have it here
/etc/ipf/ipnat.conf
/usr/local/etc/ipnat.conf
/usr/local/etc/ipf/ipnat.conf

Or ipnat.rules


Which version of FreeBSD are you using on the mail server?

Show the content of /etc/ipf.rules

Check if you have ipf.conf
 
OP
JLAIP
Show the list of current NAT table entry mappings using ipnat -l
check if you have it here
/etc/ipf/ipnat.conf
/usr/local/etc/ipnat.conf
/usr/local/etc/ipf/ipnat.conf
Or ipnat.rules
Which version of FreeBSD are you using on the mail server?
Show the content of /etc/ipf.rules
Check if you have ipf.conf
Mail server's running v6.3
 

Attachments

  • nat 001.jpg
    nat 001.jpg
    84.5 KB · Views: 21
66.166.191.10 is this your OLD IP address?
Check if you have ipnat.rules and edit it to reflect your NEW IP address.

Mail server's running v6.3
After you fix this IP address transition you MUST upgrade your server ASAP. Also ask the moderator to delete this topic after you resolve your current situation.
 
OP
JLAIP
Show the list of current NAT table entry mappings using ipnat -l

check if you have it here
/etc/ipf/ipnat.conf
/usr/local/etc/ipnat.conf
/usr/local/etc/ipf/ipnat.conf

Or ipnat.rules


Which version of FreeBSD are you using on the mail server?

Show the content of /etc/ipf.rules

Check if you have ipf.conf
Output of ipnat -l is below. Here is /etc/ipf.rules...
# Begin ipf ruleset
#
# outside interface = vr0
# inside interface = dc0
#
# Allow localhost traffic over the lo0 interface
#
pass in quick on lo0 from any to any
pass out quick on lo0 from any to any
#
# Block RFC-1918 and similar type spoof attempts
#
block in log quick on vr0 from 192.168.0.0/16 to any
block in log quick on vr0 from 172.16.0.0/12 to any
block in log quick on vr0 from 10.0.0.0/8 to any
block in log quick on vr0 from 127.0.0.0/8 to any
block in log quick on vr0 from 0.0.0.0/8 to any
block in log quick on vr0 from 169.254.0.0/16 to any
block in log quick on vr0 from 192.0.2.0/24 to any
block in log quick on vr0 from 204.152.64.0/23 to any
block in log quick on vr0 from 224.0.0.0/3 to any
#
# Allow traffic for DNS, web, and mail services
# Following 2 lines allow Ralph in
# pass in quick from 24.97.145.202/32 to any keep state
# pass out quick from any to 24.97.145.202/32 keep state
pass in quick proto tcp/udp from any to any port = domain keep state
pass out quick proto tcp/udp from any port = domain to any keep state
pass in quick proto tcp from any to 10.0.0.2/32 port = http keep state
pass out quick on dc0 proto tcp from any to 10.0.0.2/32 port = http keep state
pass in quick proto tcp from any to 10.0.0.2/32 port = https keep state
pass in quick proto tcp from any to any port = smtp keep state
pass in quick proto tcp from any to 64.36.56.98/32 port = pop3 keep state
pass in quick proto tcp from any to 64.36.56.98/32 port = imap keep state
#
# Allow ssh connections from selected outside hosts
#
#pass in quick on vr0 proto tcp from 69.205.50.120/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from any to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 69.251.190.98/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 68.32.116.93/32 to any port = ssh flags S keep state
#pass in quick on vr0 proto tcp from 68.32.119.76/32 to any port = ssh flags S keep state
#
# Allow ping and traceroute from selected hosts
#
#pass in quick on vr0 proto icmp from 69.205.50.120/32 to any keep state
pass in quick on vr0 proto icmp from any to any keep state
#pass in quick on vr0 proto icmp from 69.251.190.98/32 to any keep state
#pass in quick on vr0 proto icmp from 68.32.119.76/32 to any keep state
#
# Allow inside hosts to initiate connections to the outside and receive replies
#
pass in quick on dc0 from any to any keep state
pass out quick on vr0 from any to any keep state
#
# Block and log unwanted tcp udp and icmp connections
# Send tcp reset or host unreachable instead of nothing
#
block return-rst in log quick on vr0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on vr0 proto udp from any to any
block return-icmp-as-dest(port-unr) in log quick on vr0 proto icmp from any to any
#
# Block and log everything else
#
block in log quick all
block out log quick all
#
# End ipf ruleset
 

Attachments

  • nat 002.jpg
    nat 002.jpg
    96.6 KB · Views: 17
Edit your ipnat configuration and change the 66.166.191.10 to 71.25.29.170

Then clear your current table using ipnat -C and load your new configuration using ipnat -f /etc/ipnat.rules or whatever is your ipnat.rules/ipnat.conf located

Then check again your NAT table using ipnat -l
 
OP
JLAIP
66.166.191.10 is this your OLD IP address?
Check if you have ipnat.rules and edit it to reflect your NEW IP address.


After you fix this IP address transition you MUST upgrade your server ASAP. Also ask the moderator to delete this topic after you resolve your current situation.
I've updated /etc/ipnat.rules with the new IPs and rebooted the mail server. It's still working, but no change on the www server. Ping to 8.8.8.8 or yahoo.com returns:
ping: sendto: No route to host
 
OP
JLAIP
Edit your ipnat configuration and change the 66.166.191.10 to 71.25.29.170

Then clear your current table using ipnat -C and load your new configuration using ipnat -f /etc/ipnat.rules or whatever is your ipnat.rules/ipnat.conf located

Then check again your NAT table using ipnat -l
That looks better!
 

Attachments

  • nat 002.jpg
    nat 002.jpg
    131.4 KB · Views: 20
OP
JLAIP

Attachments

  • ifconfig.jpg
    ifconfig.jpg
    111.2 KB · Views: 18
  • resolv 001.jpg
    resolv 001.jpg
    82.9 KB · Views: 22
  • resolv 004.jpg
    resolv 004.jpg
    77.1 KB · Views: 18
Top