DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th September 2013
juslaxnern juslaxnern is offline
New User
 
Join Date: Sep 2013
Posts: 2
Default BSD not reachable from Internal LAN

Gooood Morning,

I have a webserver running OpenBSD 5.0 with Apache and has been running smooth since built. Well its time to upgrade the hardware and everything was configured appropriately. The issue is:

The original server is accessible from the Outside to DMZ network (NAT rules in place) and also internally ( inside to DMZ ). I swapped out the server (same IP addresses), cleared ARP on the ASA and the server is only accessible from the Outside network. The server is completely blocking all requests internally.

I have determined it is not an ASA issue because the same IP's are in place and once I clear arp, the server responds correctly from the outside. Packet tracer also shows the traffic being permitted. It is very bizarre. My only thoughts were the PF config but I tried disabling that to no effect.

Things that changed:

Upgraded to OpenBSD 5.3 x64
New Physical Server
Apache 1.9.3

Fire away with thoughts!

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 26th September 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!

  • You posted this in a FreeBSD subforum. I'll ask one of the admins to move it for you.
  • Did you conduct an upgrade from 5.0 -> 5.1 -> 5.2 -> 5.3? Upgrade directly from 5.0 to 5.3? Reinstall 5.3?
  • Often, the symptoms you describe are caused by improper name resolution in port-forwarded environments. It's so common, there's a section of the PF User's Guide dedicated to it, in a subsection of the Port Forwarding chapter called Redirection and Reflection. Does this apply to your environment? We have no topology information, so this is a guess on my part.
  • If the above does not apply, network diagnostics will be needed. OpenBSD comes with tcpdump(8). Let us know if you need assistance with it.
------

Edited to add:

Since we don't know anything other than what you posted, there's always the possibility of a misconfigured NIC, if you have two or more NICs used with the OpenBSD server. The output of:

$ ifconfig -A

may help us, if that's the case.

Last edited by jggimi; 26th September 2013 at 06:47 PM. Reason: typo, additional comments
Reply With Quote
  #3   (View Single Post)  
Old 27th September 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

When a DMZ configureation does not work, it usually is the routing. The server in the DMZ needs to have the default route set to the DMZ NIC of the firewall. Of course the NAT needs to handle both the external IP <--> DMZ and internal LAN <--> DMZ traffic.
What is the output of # netstat -rn -f inet?

If a client on the LAN tries to connect to the DMZ server, does tcpdump on the server show these incoming requests? Do you see the server sending reply packets?

BTW in these cases a network diagram is always helpful
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 27th September 2013
juslaxnern juslaxnern is offline
New User
 
Join Date: Sep 2013
Posts: 2
Default

The upgrade was a swap with new hardware. Old serverA running 5.0. New server running 5.3. The pages pull up fine from the public outside world, but is not accessible from the inside LAN. The routing is confirmed set to the NIC of the FW. The FW HAS to be configured correctly because all of the IP routing works when the old server is in place. I believe it had something to do with PF but it is now disabled. I will try and post tcpdump soon.

Thanks!
Reply With Quote
  #5   (View Single Post)  
Old 27th September 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you for the additional information, juslaxnern.

I'm still not clear about a few things. Perhaps you can clarify when you post here again.
  • How many local area networks / NICs does your webserver have connected? I ask because there are many possible "DMZ" topologies.
If only one NIC is used: since PF is disabled your problem is in your local network configuration, and not in OpenBSD. That problem is either routing or domain name address resolution. J65nko mentioned the former, I mentioned the latter.


If two or more NICs are used, you might still have a network configuration problem as above, but you may also have misconfigured one of the NICs.


An ASCII "picture" of your network topology, or a link to a graphic would be helpful. Also helpful would be capturing the output from the ifconfig and route commands that we've both suggested.


You may find the script(1) tool useful for capturing console output for later editing/copying/pasting.


In general, the more information you provide to us, the better we can be at helping you. See this guidance for perfect problem reporting.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I troubleshoot an internal interface BinarySpike OpenBSD General 3 1st September 2011 04:11 AM
Internal Laptop Speakers divadgnol67 OpenBSD General 11 7th September 2010 07:02 PM
500 Internal Server Error. Mr-Biscuit Off-Topic 12 12th May 2010 10:23 PM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM


All times are GMT. The time now is 07:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick