No Route to Host Error

JasonB

New Member


Messages: 6

Hi there, newbie here.

I am running an Apache 2.2 webserver on my FreeBSD machine, which is part of a home network, connected to a Netgear router. I have port 80 forwarded from my router, to my FreeBSD machine to accept HTTP requests.

I am able to connect to my Apache server from within the network, using a web browser and my internal address, as well as my WAN address, and my Domain name. I cannot connect from anywhere outside of the home network though or I get a (113) No route to host error.

I just purchased the domain yesterday. Pings from inside of the network are ok. Traceroutes fail before the first hop:

traceroute to http://www.mydomain.com (xxx.xx.xx.xxx), 64 hops max, 40 byte packets


1) * * * *
2) * * * *
3) * * * * etc.


I was just wondering if anyone could shed some light on how to troubleshoot this more? I'm trying to figure out if it is an Apache configuration issue, a firewall somewhere, maybe a DNS resolution issue since the Domain Name is so new...?

I'm pretty new to BSD so I'm not sure of all the tools I may have at my disposal to narrow this down. I am running an nmap scan right now, but after that I think I'm out of ideas.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,837
Messages: 11,317

You bought the domain yesterday? That sounds like a DNS resolving matter first of all. If you have query access to any outside DNS server (like your ISP's), try

[cmd=]dig @dns.server A http://www.mydomain.com[/cmd]

and see if it resolves.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,999
Messages: 31,432

See if you can traceroute and/or connect to the apache webserver from outside using your IP address. If that works your setup is correct and it's a name resolving issue. New domains (or changes to them) do take some time to propagate.
 
OP
OP
JasonB

JasonB

New Member


Messages: 6

Thanks for the replies.

I did a

]# dig@dns.com A mydomain.com


and it correctly resolved to the WAN address of my router. Also, typing in the WAN address directly in an out of network browser, or proxy server gets me the "no route to host" or "couldn't connect to host" error as well.

I'm still able to connect to both my domain, and WAN address from local computers though.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,837
Messages: 11,317

'No route to host' is not a good one ... any chance your ISP filters server ports? If you want me to take a look at it with some diagnostic tools, PM me with the hostname and IP-address.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,999
Messages: 31,432

JasonB said:
I did a

]# dig@dns.com A mydomain.com


and it correctly resolved to the WAN address of my router. Also, typing in the WAN address directly in an out of network browser, or proxy server gets me the "no route to host" or "couldn't connect to host" error as well.

I'm still able to connect to both my domain, and WAN address from local computers though.
Ok. So name resolving isn't the issue. It's a routing issue. How's your router setup? What kind of public address do you have, a range or a single address? Is your ISP aware of your range/address? Do they route your address(es) correctly to you? Are you able to verify packets are actually arriving at your router?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,837
Messages: 11,317

Jason PM'ed me his hostname and IP address, and the outcome is crystal clear: a tcp-traceroute to port 80 ends on a router in his ISP's network and the result carries the "!A" flag:

Code:
       !A (communication with  destination  network  administra-
       tively prohibited)
When running Wireshark, a visit to the website is greeted with:

Code:
151	21:15:21.117501	(destination ip)	(source ip)	ICMP	Destination unreachable (Communication administratively filtered)
The ISP is unequivocally filtering port 80.

Sorry, Jason ..
 
OP
OP
JasonB

JasonB

New Member


Messages: 6

SirDice said:
Ok. So name resolving isn't the issue. It's a routing issue. How's your router setup? What kind of public address do you have, a range or a single address? Is your ISP aware of your range/address? Do they route your address(es) correctly to you? Are you able to verify packets are actually arriving at your router?

Right now my router is set up to forward incoming requests on port 80 to my FreeBSD machine. Yesterday, I disabled everything I could think of in the router settings including the Firewall, and changing NAT from secure to open. It is also setup to get it's IP, and DNS address dynamically from the ISP (they did not offer static addresses when I called).

I live in an apartment complex which I think has a hub for the entire complex. Doing a traceroute to Google gives me:

1) 192.168.1.1
2) 10.203.72.1

If I'm not mistaken those are both local addresses a packet passes through before getting to an outside IP address on the 3rd stop.

I believe I have just a single address I'm assigned, and I'm not entirely sure how I can verify if packets are arriving at my router. Is there a way to check this?


Thanks.
 
OP
OP
JasonB

JasonB

New Member


Messages: 6

DutchDaemon said:
Jason PM'ed me his hostname and IP address, and the outcome is crystal clear: a tcp-traceroute to port 80 ends on a router in his ISP's network and the result carries the "!A" flag:

Code:
       !A (communication with  destination  network  administra-
       tively prohibited)
When running Wireshark, a visit to the website is greeted with:

Code:
151	21:15:21.117501	(destination ip)	(source ip)	ICMP	Destination unreachable (Communication administratively filtered)
The ISP is unequivocally filtering port 80.

Sorry, Jason ..

Lol, yeah no problem. Thanks for looking into this for me.

I just graduated so I was going to try and impress employers by hosting some websites on my own server. If they base it on charm and good looks, I have no chance. ;)

I will just find a regular host to put them on until we get out of this apartment.

Thanks again.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,837
Messages: 11,317

Sure thing. I did some further tracing: they're specifically blocking ports 25 and 80. It looks like 21 (ftp), 22 (ssh), 110 (pop3), 143 (imap) are all allowed. You could easily host your site on a port like 81 or 1080, but it makes your URL look weird, of course.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,999
Messages: 31,432

JasonB said:
I live in an apartment complex which I think has a hub for the entire complex. Doing a traceroute to Google gives me:

1) 192.168.1.1
2) 10.203.72.1

If I'm not mistaken those are both local addresses a packet passes through before getting to an outside IP address on the 3rd stop.
Hmm.. I'm assuming 192.168.1.1 is your router? If so there's probably another NAT happening at the 10.0.0.0/8 network. This might be the ISP. To get anything connected from the outside the ports would need to be redirected there too. But this would need involvement from the ISP. Usually they're not too helpful with this.

I believe I have just a single address I'm assigned, and I'm not entirely sure how I can verify if packets are arriving at my router. Is there a way to check this?
tcpdump(1) and net/wireshark are the tools for the job. You probably can't run those on your router (unless it runs linux or bsd :e ) but you can run it on your server.
 
Top