Installed pfSense and now website won't show?

38 posts / 0 new
Last post
#1 Sun, 02/09/2014 - 23:00
eiger3970

Installed pfSense and now website won't show?

Hi, I setup pfSense and added all the port forwards from my router, into pfSense, but my website still won't show?

I have tried: Linux > Terminal > $ ping www.domain.com > unknown host www.domain.com. I accessed Proxmox via Mint > Chrome > 192.168.1.160 > Webserver is running. I accessed Webmin VirtualServer via Mint > Chrome > https://192.168.1.163:10000 > Username: root > Password: xxx > Enter > System Information, all services are up. I accessed Webmin via Mint > Terminal >

$ ssh root@192.168.1.163.
[root@centos ~]# dig www.domain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58817
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.domain.com.        IN  A
 
;; Query time: 3 msec
;; SERVER: 192.168.1.180#53(192.168.1.180)
;; WHEN: Thu Feb  6 16:53:56 2014
;; MSG SIZE  rcvd: 37

www.intodns.com > www.domain.com > Error:

Parent   Info    Domain NS records   Nameserver records returned by the parent servers are:
 
ns2.domain.com.   ['WANIP']   [TTL=14400] 
ns1.domain.com.   ['WANIP']   [TTL=14400] 
 
w.au was kind enough to give us that information.
Warn    TLD Parent Check    WARNING: Looks like the parent servers do not have information for your TLD when asked. This is ok but can be confusing.
Pass    Your nameservers are listed Good. The parent server w.au has your nameservers listed. This is a must if you want to be found as anyone that does not know your DNS servers will first ask the parent nameservers.
Pass    DNS Parent sent Glue    Good. The parent nameserver sent GLUE, meaning he sent your nameservers as well as the IPs of your nameservers. Glue records are A records that are associated with NS records to provide "bootstrapping" information to the nameserver.(see RFC 1912 section 2.3)
Pass    Nameservers A records   Good. Every nameserver listed has A records. This is a must if you want to be found.
NS  Info    NS records from your nameservers    NS records got from your nameservers listed at the parent NS are:
Oups! I could not get any nameservers from your nameservers (the ones listed at the parent server). Please verify that they are not lame nameservers and are configured properly. 
 
Pass    Recursive Queries   Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.
Pass    Same Glue   Hmm,I do not consider this to be an error yet, since I did not detect any nameservers at your nameservers.
Pass    Glue for NS records OK. Your nameservers (the ones reported by the parent server) have no ideea who your nameservers are so this will be a pass since you already have a lot of errors!
Error   Mismatched NS records   WARNING: One or more of your nameservers did not return any of your NS records.
Error   DNS servers responded   ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
124.191.169.67
Pass    Name of nameservers are valid   OK. The nameservers reported by the parent send out nothing as shown above. I can't check nothing so it's a green!
Error   Multiple Nameservers    ERROR: Looks like you have less than 2 nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7. Having 2 nameservers is also ok by me.
Pass    Nameservers are lame    OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
Pass    Missing nameservers reported by parent  OK. All NS records are the same at the parent and at your nameservers.
Error   Missing nameservers reported by your nameservers    You should already know that your NS records at your nameservers are missing, so here it is again: 
 
ns2.domain.com. 
ns1.domain.com. 
 
Pass    Domain CNAMEs   OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Pass    NSs CNAME check OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Pass    Different subnets   OK. Looks like you have nameservers on different subnets!
Pass    IPs of nameservers are public   Ok. Looks like the IP addresses of your nameservers are public. This is a good thing because it will prevent DNS delays and other problems like
Pass    DNS servers allow TCP connection    OK. Seems all your DNS servers allow TCP connections. This is a good thing and useful even if UDP connections are used by default.
Pass    Different autonomous systems    OK. It seems you are safe from a single point of failure. You must be careful about this and try to have nameservers on different locations as it can prevent a lot of problems if one nameserver goes down.
Pass    Stealth NS records sent Ok. No stealth ns records are sent
SOA Error   SOA record  No valid SOA record came back!
MX  Error   MX Records  Oh well, I did not detect any MX records so you probably don't have any and if you know you should have then they may be missing at your nameservers!
WWW Error   WWW A Record     ERROR: I could not get any A records for www.domain.com!
 
(I only do a cache request, if you recently added a WWW A record, it might not show up here.)

I went back into Webmin > Servers > BIND DNS Server > Existing DNS Zones > Zone: domain.com > Edit Master Zone > Type: All > Type: NS says domain.com. I think name server should be ns1.domain.com and ns2.domain.com.

I backed up current webmin files in Virtualmin > Backup and Restore > Scheduled Backups > Add a new backup schedule > Virtual servers > Servers to save: All virtual servers > Destination and format > Backup destinations: Local file or directory > Browse... > tmp > Backup (make folder if not there in tmp mkdir backup) > Ok > Create Schedule > Actions: Backup.. > Backup Now.

I tried restore but backups are of whole Virtualmin server from Proxmox. Had to restore whole webserver on Proxmox.

www.domain.com still won't load. www.intodns.com gives same nameserver error.

I haven't changed or deleted any nameservers, so I don't know if this is the true error or not, as pfSense install could probably not effect the name servers?

Mon, 02/10/2014 - 02:37
Locutus

Sorry, this is much too complex with way too little information to give any meaningful advice.

What does Virtualmin have to do with pfSense and Proxmox? Yes I know what those are, you haven't told us in any way how those are related in your installation.

Why do you have a "router" and pfSense? The latter is a router. What is "Mint"?

You need to first give us details about your exact installation and network strutcture, before telling us tons of stuff you tried that we can't reproduce since we have no idea about your system.

Mon, 02/10/2014 - 03:27 (Reply to #2)
eiger3970

Okay, here's a topology: Cable COAX > Cable Modem WAN > Cable Modem LAN > pfSense WAN > pfSense LAN > Switch > router LAN1 > router LAN2 > network (Proxmox > Virtualmin).

Modem DHCP server: enabled.
Modem WAN default gateway from ISP: xxx.xxx.xxx.x.
Modem WAN DMZ Address: 192.168.0.4. (not sure on where this address is for?)
Modem WAN DHCP from ISP: xxx.xxxx.xx.xx.
Modem WAN DNS from ISP: 8.8.8.8.
Modem WAN DNS from ISP: 8.8.4.4.
Modem WAN subnet mask: 255.255.240.0.
Modem LAN: 192.168.0.50.
Modem LAN subnet mask: 255.255.255.0.
pfSense DHCP server: disabled.
pfSense WAN DHCP from modem LAN: 192.168.0.2/24.
pfSense LAN: 192.168.1.155.
Switch: to LAN networked devices.
Router Wi-Fi DHCP server: disable as mode is AP.
Router Wi-Fi WAN: not needed as mode is AP.
Router Wi-Fi LAN: 192.168.1.180.
Router Wi-Fi LAN subnet mask: 255.255.255.0.
Router Wi-Fi LAN gateway: 192.168.1.155.
Networked LAN devices DHCP server: disabled.
Networked LAN devices: static 255.255.255.0 subnet IPs.
Mon, 02/10/2014 - 04:27
Locutus

Alrighty, I'm sorry but I won't even start trying to understand/debug a complex structure like that, with multiple cascaded routers and DHCP, apparently on a home connection again, and DMZ, virtualization and stuff, where problems can have a myriad of reasons, by guessing over the forum. :)

All I could offer is personal support (instant messenger / Teamviewer) for a fee. But since I know that you're not interested in paid support, I hope that someone else is willing/able to help you with this for free! Good luck!

Mon, 02/10/2014 - 06:04
eiger3970

Thank you for the reply and I'm sorry I cannot afford any money as an honest hard working IT person. When the science and business makes some money I would prefer to resolve the issue quickly. This is a business connection by the way, so not sure where your inference came from.

So, some information that may help... Virtualmin > System Settings > Re-Check Configuration showed error DNS settings were wrong.

I updated the Gateway from the old router 192.168.1.180 to the new pfSense router 192.168.1.155. Webmin > Networking > Network Configuration > Routing and Gateways > Create active route > Route destination: Default route > Netmask for destination: Default > Route via: Gateway > Create.

I could then update Webmin > Networking > Network Configuration > Hostname and DNS Client > DNS servers from 192.168.1.180 to 127.0.0.1.

Virtualmin > System Settings > Re-Check Configuration, then showed Virtualmin working.

However the same www.intodns.com error about ns1.domain.com and ns2.domain.com occur.

Mon, 02/10/2014 - 17:10
eiger3970

I loaded up Virtualmin this morning to continue working on the error: You should already know that your NS records at your nameservers are missing, so here it is again: ns1.domain.com. ns2.domain.com.

So, I added Webmin > Network Configuration > ns1.domain.com. and ns2.domain.com. > WANIP. Virtualmin > System Settings > Re-Check Configuration > error: Checking Configuration
The status of your system is being checked to ensure that all enabled features are available, that the mail server is properly configured, and that quotas are active .. Your system has 996.68 MB of memory, which is at or above the Virtualmin recommended minimum of 256 MB. Virtualmin is configured to setup DNS zones, but this system is not setup to use itself as a DNS server. Either add 127.0.0.1 to the list of DNS servers, or turn off the BIND feature on the module config page.

.. your system is not ready for use by Virtualmin.

So, I checked Hostname and DNS Client > DNS Client Options > DNS server is 192.168.1.180, not 127.0.0.1 or 192.168.1.155 like I set it to yesterday?

Mon, 02/10/2014 - 19:46
Locutus

Might have been overwritten by DHCP.

Mon, 02/10/2014 - 23:59 (Reply to #7)
eiger3970

The DHCP is coming from the cable modem. The 192.168.1.180 was the old static IP of the old router.

I don't know why Virtualmin won't save the new gateway which is 192.168.1.155 (pfSense router, which had the DHCP server disabled).

Virtualmin says to use 127.0.0.1, but this also won't save? I checked for named.conf in /etc/ and no named.conf. I checked resolve.conf in /etc, which only had code saying: nameserver 8.8.8.8

Tue, 02/11/2014 - 00:31
eiger3970

I changed Virtualmin > /etc/dhcp/dhclient.conf from #prepend domain-name-servers 127.0.0.1; to prepend domain-name-servers 127.0.0.1;

Rebooted.

Same errors: Webmin > Networking > Network Configuration > Routing and Gateways > Active configuration > Default Route > 192.168.1.180 (old router's IP address. Should be new pfSense router's IP 192.168.1.155).

Webmin > Networking > Network Configuration > Hostname and DNS Client > DNS Client Options > DNS servers: 192.168.1.180 (old router's IP address. Should be 127.0.0.1 or pfSense router's IP 192.168.1.155).

Tue, 02/11/2014 - 04:15
Locutus

I suggest not using DHCP for servers like this. Especially in a private network where you have control over what IPs get assigned for what. DHCP only leads to unnecessary confusion for servers, especially if you run DNS or have to do port forwarding.

Tue, 02/11/2014 - 05:45 (Reply to #10)
eiger3970

The Virtualmin server has a static IP. Only the cable modem has a DHCP server enabled.

All the port forwarding is set to Virtualmin's static IP. DNS still not working though.

Tue, 02/11/2014 - 07:41
Locutus

Okay, no idea then why your DNS server settings should get changed. Normally only the DHCP client does that.

Wed, 02/12/2014 - 01:16 (Reply to #12)
eiger3970

Well, pfSense router removed and website works. So, either Virtualmin needs the default gateway to update from the old router to pfSense router or pfSense is blocking the DNS.

Virtualmin seems to be problematic with the default gateway, so I need help here to make this work properly.

Wed, 02/12/2014 - 02:33 (Reply to #13)
Locutus

Virtualmin normally works all okay with pfSense and static IPs. I'm running this myself on my VMware based virtualization hosts. No idea why it doesn't for you, and unfortunately your network is too complex for me to try and figure out via forum.

Wed, 02/19/2014 - 01:21
eiger3970

Okay, when I go to Virtualmin > System Settings > Re-Check Configuration, the same error occurs: .. your system is not ready for use by Virtualmin.

I click on: list of DNS servers. This takes me to Hostname and DNS Client, which has settings: DNS Client Options Hostname: localhost.localdomain Ticked, Update hostname in host addresses if changed? Resolution order: Hosts file, DNS. DNS servers: 192.168.1.180.

I change the DNS server to 127.0.0.1 and www.intodns.com still says DNS cannot be reached. I reboot Virtualmin and the DNS server of 127.0.0.1 changes back to 192.168.1.180.

My old router's IP was 192.168.1.180 and the website works if I remove pfSense and connect to the old router.

If anyone can help, I'll PM the network topology.

Wed, 02/19/2014 - 14:38 (Reply to #15)
eiger3970

Tried changing the default gateway again from 192.168.1.180 to 192.168.1.155. Tried changing the Hostname and DNS Client from 192.168.1.180 to 192.168.1.155 and 127.0.0.1.

Apply configuration and Virtualmin ignores changes and uses old 192.168.1.180 data? How to change these settings?

Thu, 02/20/2014 - 20:08
eiger3970

Well, problem fixed.

Virtualmin is indeed faulty. Changing default gateway via GUI fails.

I navigated to /etc/sysconfig/network-scripts > changed GATEWAY=192.168.1.180 TO 192.168.1.155.

So, now only settings to change is DNS server from 192.168.1.180 to 192.168.1.155 or 127.0.0.1.

Anyone able to show me the path to this location?

Thu, 02/20/2014 - 22:43
eiger3970

Okay, I found the location for the Virtualmin > Webmin > Networking > Network Configuration > Hostname and DNS Client. /etc/resolv.conf.

I changed

# Generated by NetworkManager
search com
nameserver 192.168.1.180

to

# Generated by NetworkManager
search com
nameserver 192.168.1.155
nameserver 127.0.0.1

The GUI then showed the updated DNS server settings. Website still doesn't show. I rebooted Virtualmin and DNS server settings went back to

# Generated by NetworkManager
search com
nameserver 192.168.1.180

Interesting as the Default Gateway settings are kept after I updated via the cli.

Any suggestions?

Fri, 02/21/2014 - 02:46
Locutus

Might get overwritten by that "network manager" that's mentioned in the comment in the file. Don't know what that is though, I'm not familiar with your system.

Sat, 02/22/2014 - 13:56
eiger3970

Thank you for the reply.

The system is Virtualmin. System hostname: localhost.localdomain (127.0.0.1). Webmin version: 1.660. Theme version: 8.7. Kernel and CPU: Linux 2.6.32-358.el6.x86_64 on x86_64. Running processes: 176. Operating system: CentOS Linux 6.4. Virtualmin version: 4.03.gpl GPL.

Sun, 02/23/2014 - 11:34
Locutus

Sorry, as I said I'm not familiar with CentOS, no idea what might be overwriting your network config there. Eric might know, he's more familiar with CentOS.

Mon, 02/24/2014 - 09:23
andreychek

reboot Virtualmin and the DNS server of 127.0.0.1 changes back to 192.168.1.180

Is your system using DHCP for obtaining it's IP addresses?

If so, that would explain some of the behavior you're seeing.

You'd want to make sure your server is configured to use static IP addresses, and not dynamic ones, which can cause a lot of settings to be overwritten each time the system is rebooted or networking restarted.

-Eric

Mon, 02/24/2014 - 09:25
Locutus

@Eric: I had already uttered that idea a while ago, but Eiger claims that his server is using a static IP.

Mon, 02/24/2014 - 20:34 (Reply to #23)
eiger3970

Thank you for the reply. Yes, the system (Virtualmin?) has static IPs. Also, CentOS has static IPs setup.

I tried changing the static IPs, in particular, the gateway from 192.168.1.180 to 192.168.1.155 and the settings won't hold, however this is mentioned in the previous couple of posts.

Tue, 02/25/2014 - 03:56
Locutus

Well I still have my doubts there. As per your previous post, the two config files you tried to change are "Generated by NetworkManager". So obviously those files get overwritten by that "network manager". You might want to try and find out what that is and how to disable it.

Are you using a desktop version of CentOS, or a "minimal install" server version? Desktop versions are known to include all kinds of packages that are meant to make life for the end user easier, but which can interfere with server operations.

Wed, 02/26/2014 - 07:18
eiger3970

I thought this NetworkManager was a part of Virtualmin?

I am using CentOS Desktop version.

Wed, 02/26/2014 - 09:05
Locutus

Nope, it's definitely not a part of Virtualmin. It's highly recommended to use a CentOS Server version instead of Desktop. (This applies to all distros actually, not just CentOS.) Your present issues are most likely caused at least in part by that.

Wed, 02/26/2014 - 17:14
eiger3970

Well, I have found out the the password and Network settings for Virtualmin interchanges with Centos. I changed the CentOS Network Default Gateway, DNS and root password, which also changed the details in Virtualmin.

So, now Virtualmin has the correct Network configuration, however still no website showing.

Possibly the Virtualmin > Webmin > Networking > Network Configuration > Hostname and DNS Client > DNS servers > should have 192.168.1.155 and 127.0.0.1, rather than just 192.168.1.155?

Thu, 02/27/2014 - 03:38
Locutus

Sorry, "no website showing" is not a problem report I can work with... That can have dozens of reasons. You need to be more specific and do the usual tests (ping, resolve name, check logs, etc.).

Sat, 03/01/2014 - 01:22
eiger3970

Thank you for the reply. Sorry I wasn't clear. When I say still no website showing, I mean the same errors as per tests on the 1st post in this forum thread.

Sat, 03/01/2014 - 04:43
Locutus

Okay, sorry, can't help you with that via forum as you know. Your structure is too complex for that.

Sun, 03/02/2014 - 18:40
eiger3970

This might help simplify the network setup:
1 LAN computer (192.168.1.120) to the
pfSense router (192.168.1.155) to the
Virtualmin website server (192.168.1.163).

192.168.1.120 ~ $ dig @192.168.1.163 www.domain.tld
 
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @192.168.1.163 www.domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31480
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domain.tld.        IN  A
 
;; ANSWER SECTION:
www.domain.tld. 38400   IN  A   xxx.xxx.xxx.xx
 
;; AUTHORITY SECTION:
domain.tld. 38400   IN  NS  localhost.localdomain.
 
;; ADDITIONAL SECTION:
localhost.localdomain.  86400   IN  A   127.0.0.1
localhost.localdomain.  86400   IN  AAAA    ::1
 
;; Query time: 3 msec
;; SERVER: 192.168.1.163#53(192.168.1.163)
;; WHEN: Mon Mar 03 10:02:26 EST 2014
;; MSG SIZE  rcvd: 143
 
 
192.168.1.120 ~ $ nslookup
> server 192.168.1.163
Default server: 192.168.1.163
Address: 192.168.1.163#53
> www.domain.tld
Server:     192.168.1.163
Address:    192.168.1.163#53
 
Name:   www.domain.tld
Address: xxx.xxx.xxx.xx
Sun, 03/02/2014 - 19:42
Locutus

I can't see any errors or problems in the output you just posted. What exactly is the issue at the moment? It'd also help if you avoided placeholders but used the actual IPs and domain names, otherwise I can't do any tests of my own, which complicates the situation.

(Please be aware that I can only try to fix simple and immediate issues here, I can't follow your whole structure - simplified or not - via the forum without screen sharing.)

Mon, 03/03/2014 - 04:57
eiger3970

The issue is the website www.domain.tld (a community charity free site) won't show on the Internet, but I can get it on the LAN.

www.intodns.com says the nameservers are not found?

Sun, 03/02/2014 - 20:34
Locutus

According to the registrar glue records, the IP 124.191.169.67 is the responsible nameserver for that domain. BIND does not reply to requests on that IP though. You need to check if port forwarding is set up correctly (which is most likely the issue, given your complicated multi-router setup), BIND is running and listening on port 53, no firewall is blocking port 53, the usual things.

Tue, 03/04/2014 - 23:42
eiger3970

Would Virtualmin be blocking the DNS packets? I checked the iptables in Virtualmin and I would not know why Virtualmin would start blocking DNS packets?

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dnp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Wed, 03/05/2014 - 02:47
Locutus

No, your iptables indicates that port 53 UDP is open on your server. I suppose the issue lies with your cascaded router setup. Especially since you said that it started when you installed that pfSense router.

Sat, 04/12/2014 - 04:00
eiger3970

All fixed. Seemed to be a router WAN IP setting. Thanks for the suggestions.

Topic locked