#269059 - 08/11/2005 14:04
Help: Is my site accessible?
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Hi, I'm in the process of shifting DSL providers, and the IP address of rtr.ca. is changing (will take a few days..). So.. is my webserver accessible today? I just need a couple of people to point their browsers at the Home Docks page, and then post back here as to whether or not it worked. Thanks.
|
Top
|
|
|
|
#269060 - 08/11/2005 14:08
Re: Help: Is my site accessible?
[Re: mlord]
|
veteran
Registered: 21/01/2002
Posts: 1380
Loc: Erie, CO
|
Not from here, DNS returns:
Name: rtr.ca Address: 207.236.110.166
|
Top
|
|
|
|
#269061 - 08/11/2005 14:08
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Not working at the moment for me. Connection is timing out.
Using Scarlet ISP in Belgium.
I'll try again in a few hours.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#269062 - 08/11/2005 14:09
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Not working for me.
I'm on Verizon DSL in NY.
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#269063 - 08/11/2005 14:13
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Quote: So.. is my webserver accessible today?
Not from here. nslookup gives:
Non-authoritative answer: Name: rtr.ca Address: 207.236.110.166
_________________________
-- roger
|
Top
|
|
|
|
#269064 - 08/11/2005 14:18
Re: Help: Is my site accessible?
[Re: mlord]
|
addict
Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
|
Not working from Miami, FL via Earthlink DSL. Timed out.
|
Top
|
|
|
|
#269065 - 08/11/2005 14:24
Re: Help: Is my site accessible?
[Re: Roger]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote:
Quote: So.. is my webserver accessible today?
Non-authoritative answer: Name: rtr.ca Address: 207.236.110.166
Yeah, that's the original IP address, and it is still connected, but I see no incoming traffic on it now. I can still use it to connect to the outside no problem, though. Weird.
Still broken now?
|
Top
|
|
|
|
#269066 - 08/11/2005 14:28
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Still broken, Mark.
Trying to connect from Rome. ISP: Fastweb.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#269067 - 08/11/2005 14:32
Re: Help: Is my site accessible?
[Re: Taym]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
This is just too weird. I can see the incoming connection attempts with "tcpdump". But my machine never replies. Looking at my hand crafted firewall rules, they are supposed to LOG any TCP syn packets, before filtering stuff. NO logs. ARrrrrG! Just for fun, try hitting my new IP address: http://64.26.128.89/docks/That probably works, or at least gets a reply from apache. Mmm..
|
Top
|
|
|
|
#269069 - 08/11/2005 14:35
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Nope, that doesn't work either for me.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#269070 - 08/11/2005 14:39
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Mark, new IP address works, but the requeste URL /docks/ was not found on it . http://64.26.128.89, instead, returns access denied. Both clearly mean the server is there, anyway.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#269071 - 08/11/2005 14:41
Re: Help: Is my site accessible?
[Re: Taym]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Yeah, thanks.
Some kind of dumb routing issue.
For now, I'ved turned off the new IP, so it's probably all working again.
-ml
|
Top
|
|
|
|
#269072 - 08/11/2005 14:43
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
It is
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#269073 - 08/11/2005 15:02
Re: Help: Is my site accessible?
[Re: mlord]
|
addict
Registered: 23/12/2002
Posts: 652
Loc: Winston Salem, NC
|
It's working from the Middle East.
|
Top
|
|
|
|
#269074 - 08/11/2005 15:12
Re: Help: Is my site accessible?
[Re: mlord]
|
enthusiast
Registered: 16/02/2001
Posts: 373
Loc: Switzerland
|
it works form Switzerland!
bye
|
Top
|
|
|
|
#269075 - 08/11/2005 15:27
Re: Help: Is my site accessible?
[Re: crazymelki]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Okay, thanks.
I've undone my changes from last night, so things are fine for the moment.
But I'll ask for more help in a bit, once I read up some on routing with multiple upstream links.
Thanks.
|
Top
|
|
|
|
#269076 - 08/11/2005 16:23
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
How about now: what does this do: http://rtr.ca/ <-- probably is fine and what does this do: http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead? thanks
|
Top
|
|
|
|
#269077 - 08/11/2005 16:27
Re: Help: Is my site accessible?
[Re: mlord]
|
addict
Registered: 01/03/2002
Posts: 599
Loc: Florida
|
Quote: How about now: what does this do:
http://rtr.ca/ <-- probably is fine
This is fine
Quote:
and what does this do:
http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?
thanks
Access Denied You don't have permission to access the requested object. It is either read-protected or not readable by the server.
_________________________
Chad
|
Top
|
|
|
|
#269078 - 08/11/2005 16:28
Re: Help: Is my site accessible?
[Re: Attack]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote:
Access Denied You don't have permission to access the requested object. It is either read-protected or not readable by the server.
Oh, good! That might mean I've actually fixed things (apart from apache itself).
Thanks.
|
Top
|
|
|
|
#269079 - 08/11/2005 19:34
Re: Help: Is my site accessible?
[Re: mlord]
|
addict
Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
|
Quote: How about now: what does this do:
http://rtr.ca/ <-- probably is fine
and what does this do:
http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?
thanks
I'm getting
"Access Denied You don't have permission to access the requested object. It is either read-protected or not readable by the server."
to both of the above links.
|
Top
|
|
|
|
#269080 - 08/11/2005 19:49
Re: Help: Is my site accessible?
[Re: petteri]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).
Web access direct to either address should give an apache error ("access denied"), rather than a simple timeout..
Web access directly to rtr.ca, via a nameserver that knows about it, should work. But that will take a day or so to propagate. Meanwhile, I might try to fix my apache config to work regardless..
Can you folks ping me? What does a hostname lookup resolve to for "rtr.ca" ?
Thanks again!
|
Top
|
|
|
|
#269081 - 08/11/2005 20:02
Re: Help: Is my site accessible?
[Re: mlord]
|
veteran
Registered: 19/06/2000
Posts: 1495
Loc: US: CA
|
Code:
# host rtr.ca 206.13.31.12 Using domain server: Name: 206.13.31.12 Address: 206.13.31.12#53 Aliases:
rtr.ca has address 64.26.128.89
# host rtr.ca 206.13.28.12 Using domain server: Name: 206.13.28.12 Address: 206.13.28.12#53 Aliases:
rtr.ca has address 64.26.128.89
# host rtr.ca 4.2.2.1 Using domain server: Name: 4.2.2.1 Address: 4.2.2.1#53 Aliases:
rtr.ca has address 64.26.128.89
# host rtr.ca 216.231.41.2 Using domain server: Name: 216.231.41.2 Address: 216.231.41.2#53 Aliases:
rtr.ca has address 64.26.128.89
# host rtr.ca 64.81.79.2 Using domain server: Name: 64.81.79.2 Address: 64.81.79.2#53 Aliases:
rtr.ca has address 207.236.110.166
_________________________
Donato MkII/080000565 MkIIa/010101253 ricin.us
|
Top
|
|
|
|
#269082 - 08/11/2005 20:19
Re: Help: Is my site accessible?
[Re: ricin]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.
_________________________
~ John
|
Top
|
|
|
|
#269083 - 08/11/2005 20:28
Re: Help: Is my site accessible?
[Re: JBjorgen]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote: I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.
Cool. Does it work now?
Thanks
|
Top
|
|
|
|
#269084 - 08/11/2005 20:49
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Here's a question for Bitt, or anyone else versed in ip routing..
So my new setup is temporarily using BOTH xDSL lines. One of the lines hosts my domain at the new address, the other still responds to the old address for the time being.
The same firewall machine provides NAT for the internal network, and hosts a webserver (rtr.ca).
None of my internal machines can even ping (let along surf) the webserver using either external address. This means that I get NOTHING when I click on the "Home Docks" link at the top of this page. Pinging/surfing the internal address (third NIC) works okay. This is not a firewall config issue (no logs), but rather a routing issue of some kind.
What must I do to make this work?
Current routing table is below, where 10.0.0.2 is the firewall machine, eth1 (10.0.0.2) is the internal NIC, and eth0 and ppp0 are the external interfaces, and
Code:
[zippy:/] ip route
64.26.128.1 dev ppp0 scope link src 64.26.128.89
207.236.110.0/24 dev eth0 scope link src 207.236.110.166
10.0.0.0/8 dev eth1 scope link src 10.0.0.2
default
nexthop via 207.236.110.1 dev eth0 weight 1
nexthop via 64.26.128.1 dev ppp0 weight 1
Edited by mlord (08/11/2005 20:53)
|
Top
|
|
|
|
#269085 - 08/11/2005 20:56
Re: Help: Is my site accessible?
[Re: mlord]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?
Yeah, that's not going to work.
There's no good reason for it not to work beyond "people who write NATs don't bother to implement that case". You'll need to run two DNS servers, one for your internal clients so that they can get the internal IP addresses for your hostnames and one for the rest of the world.
Alternately, you could look for NAT software that implements that case properly, but they're few and far between, if they exist at all, and if they do, I don't know which they are.
Or is the firewall and the webserver the same machine? If that's the case, it should work, but you may be hitting on the problem above. If so, you should be able to reconfigure your firewall to not NAT when going to the globally routed addresses that are on the NAT machine.
Edited by wfaulk (08/11/2005 21:00)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#269086 - 08/11/2005 20:58
Re: Help: Is my site accessible?
[Re: mlord]
|
enthusiast
Registered: 11/06/2003
Posts: 384
|
Many, possibly it's even fair to say most, NAT implementations behave the way you describe: traffic from behind the NAT to a public IP address in the same subnet as the NAT address simply doesn't work.
It's almost always not a routing issue but rather a limitation of the firewall implementation that really should have been addressed a long time ago, but many implementatins -- even "enterprise" class gear -- still don't work around it.
--Nathan
|
Top
|
|
|
|
#269087 - 08/11/2005 21:05
Re: Help: Is my site accessible?
[Re: mlord]
|
enthusiast
Registered: 11/06/2003
Posts: 384
|
Quote: Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).
Code:
[nathan@heorot nathan]$ dig rtr.ca
; <<>> DiG 9.2.1 <<>> rtr.ca ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28501 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION: ;rtr.ca. IN A
;; ANSWER SECTION: rtr.ca. 23604 IN A 207.236.110.166
;; AUTHORITY SECTION: rtr.ca. 23604 IN NS ns2.granitecanyon.com. rtr.ca. 23604 IN NS ns1.rtr.ca. rtr.ca. 23604 IN NS ns1.granitecanyon.com.
;; ADDITIONAL SECTION: ns1.granitecanyon.com. 153208 IN A 205.166.226.38 ns2.granitecanyon.com. 153208 IN A 69.67.108.10
;; Query time: 27 msec ;; SERVER: 192.168.168.2#53(192.168.168.2) ;; WHEN: Tue Nov 8 15:00:37 2005 ;; MSG SIZE rcvd: 143
[nathan@heorot nathan]$
So the new address is out there, but because of the TTL for the record anyone who did a lookup and got the old address is going to have to wait ~23604 seconds before that lookup expires from their local cache. (Or get their DNS server flushed, but most operators won't do that.)
So the folks who have been helpful before aren't going to be able to be of much help until that TTL expires.
--Nathan
|
Top
|
|
|
|
#269088 - 08/11/2005 21:23
Re: Help: Is my site accessible?
[Re: wfaulk]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote: So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?
My gateway machine has 2 external addresses, and one internal address. The internal address connects to our internal LAN. Clients on the internal LAN would like to be able to access the external IP addresses of the gateway machine.
This actually worked, until I modified the routing tables to accept traffic from both external interfaces, but now it does not work. It had been working for years.
Once the nameservers finally update and everyone stops using the old external address, I can disconnect that link, restore the original very simple routing table, and my inside clients should again be able to access the external IP addresses of the gateway. But I'd like to have it working regardless, in case I decide to keep both external IP connections..
Cheers
|
Top
|
|
|
|
|
|