[pfSense] creating a 1:1 NAT WAN to DMZ
moshe at ymkatz.net
Mon Feb 20 12:16:43 EST 2012
The "DNS rebind attack" warning means that you are getting to the
firewall's web site instead of your server.
The subnet you are using when you set the address must be the same as for
the rest of your LAN. Since your LAN has a /24 subnet (192.168.1.1 -
192.168.1.255), your server will not know how to respond to any other
device on your LAN. Change your server to use IP 192.168.1.27, subnet
255.255.225.0 and a broadcast of 192.168.1.255 and see if you can access it
from the LAN.
If you set the subnet to 255.255.255.0 and it goes back to 255.255.255.248,
there has to be something else in your configuration that is doing that.
Try rebooting the box if you can so it will reload all the configs from
-- moshe at ymkatz.net
On Mon, Feb 20, 2012 at 11:42 AM, Jason T. Slack-Moehrle <
slackmoehrle at gmail.com> wrote:
> Hi Guys,
> OK, the latest steps, I also called Comcast and asked to clear the ARP
> entries/table and they were confused, but Level 2 techs knew and they said
> call them if I need it done again.
> 1. I changed the VIP to a .29 (like my public IP's)
> 2. I plugged the NIC in the server that is answering on .27.
> 3. I rebooted my cable modem, letting it sit for 60 seconds before
> reconnecting power.
> 4. I rebooted the pfSense Box
> 5. I rebooted the server that hosts what I want to access, only plugging
> in the second NIC that has the IP 192.168.1.27.
> 6. waited for everything to come up.
> 7. If now I try to hit 6colors.net from the LAN (which is where this
> server is too) I get forwarded to anhttps://6colors.net:<port> saying
> that there is a potential DNS Rebind attack.
> 8. if I try and hot from a machine that is not on the LAN I get an "unable
> to connect" in a browser.
> 9. I do notice that when I set the NIC in the server to DHCP it gets an ip
> of 192.168.1.101, Subnet: 255.255.255.0, Gateway/Broadcast: 192.168.1.255
> and I can SSH in using the .101 IP, the site comes up when using .101 in a
> browser too from my laptop that is on the same LAN.
> but when I manually assign an ip of 192.168.1.27 (to match my public IP's)
> subnet of: 255.255.255.248 and a Broadcast of: 192.168.1.31 (which seems
> automatic) I cannot SSH into .27 or web, nada. Yes I am restarting
> networking, ssh and apache to be sure.
> when I manually assign an ip of 192.168.1.27 (to match my public IP's)
> subnet of: 255.255.255.0 (like I get when I use DHCP) there is a Broadcast
> of: 192.168.1.31 and do an ifconfig I see the subnet mask of
> 255.255.255.248 still regardless and I cannot SSH in or web, etc.
> Still nothing working.
> List mailing list
> List at lists.pfsense.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the List