Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 1 of 2 1 2 >
Topic Options
#269059 - 08/11/2005 14:04 Help: Is my site accessible?
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Hi,

I'm in the process of shifting DSL providers, and the IP address of rtr.ca. is changing (will take a few days..).

So.. is my webserver accessible today?

I just need a couple of people to point their browsers at the Home Docks page, and then post back here as to whether or not it worked.

Thanks.

Top
#269060 - 08/11/2005 14:08 Re: Help: Is my site accessible? [Re: mlord]
cushman
veteran

Registered: 21/01/2002
Posts: 1380
Loc: Erie, CO
Not from here, DNS returns:

Name: rtr.ca
Address: 207.236.110.166
_________________________
Mark Cushman

Top
#269061 - 08/11/2005 14:08 Re: Help: Is my site accessible? [Re: mlord]
BartDG
carpal tunnel

Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
Not working at the moment for me. Connection is timing out.
Using Scarlet ISP in Belgium.

I'll try again in a few hours.
_________________________
Riocar 80gig S/N : 010101580 red
Riocar 80gig (010102106) - backup

Top
#269062 - 08/11/2005 14:09 Re: Help: Is my site accessible? [Re: mlord]
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
Not working for me.

I'm on Verizon DSL in NY.
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#269063 - 08/11/2005 14:13 Re: Help: Is my site accessible? [Re: mlord]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Quote:
So.. is my webserver accessible today?


Not from here. nslookup gives:

Non-authoritative answer:
Name: rtr.ca
Address: 207.236.110.166
_________________________
-- roger

Top
#269064 - 08/11/2005 14:18 Re: Help: Is my site accessible? [Re: mlord]
petteri
addict

Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
Not working from Miami, FL via Earthlink DSL. Timed out.

Top
#269065 - 08/11/2005 14:24 Re: Help: Is my site accessible? [Re: Roger]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Quote:
Quote:
So.. is my webserver accessible today?


Non-authoritative answer:
Name: rtr.ca
Address: 207.236.110.166


Yeah, that's the original IP address, and it is still connected, but I see no incoming traffic on it now. I can still use it to connect to the outside no problem, though. Weird.

Still broken now?

Top
#269066 - 08/11/2005 14:28 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Still broken, Mark.

Trying to connect from Rome. ISP: Fastweb.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269067 - 08/11/2005 14:32 Re: Help: Is my site accessible? [Re: Taym]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
This is just too weird.

I can see the incoming connection attempts with "tcpdump". But my machine never replies.

Looking at my hand crafted firewall rules, they are supposed to LOG any TCP syn packets, before filtering stuff. NO logs. ARrrrrG!

Just for fun, try hitting my new IP address:

http://64.26.128.89/docks/

That probably works, or at least gets a reply from apache.

Mmm..

Top
#269068 - 08/11/2005 14:35 Re: Help: Is my site accessible? [Re: mlord]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
Not from here (FL)

DNS stuff reports some DNS errors some servers are timing out, others don't have an a record.
http://www.dnsstuff.com/tools/dnstime.ch?name=rtr.ca&type=A
_________________________
Chad

Top
#269069 - 08/11/2005 14:35 Re: Help: Is my site accessible? [Re: mlord]
BartDG
carpal tunnel

Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
Nope, that doesn't work either for me.
_________________________
Riocar 80gig S/N : 010101580 red
Riocar 80gig (010102106) - backup

Top
#269070 - 08/11/2005 14:39 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Mark, new IP address works, but

the requeste URL /docks/ was not found on it .

http://64.26.128.89, instead, returns access denied. Both clearly mean the server is there, anyway.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269071 - 08/11/2005 14:41 Re: Help: Is my site accessible? [Re: Taym]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Yeah, thanks.

Some kind of dumb routing issue.

For now, I'ved turned off the new IP, so it's probably all working again.

-ml

Top
#269072 - 08/11/2005 14:43 Re: Help: Is my site accessible? [Re: mlord]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
It is
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#269073 - 08/11/2005 15:02 Re: Help: Is my site accessible? [Re: mlord]
Cybjorg
addict

Registered: 23/12/2002
Posts: 652
Loc: Winston Salem, NC
It's working from the Middle East.

Top
#269074 - 08/11/2005 15:12 Re: Help: Is my site accessible? [Re: mlord]
crazymelki
enthusiast

Registered: 16/02/2001
Posts: 373
Loc: Switzerland
it works form Switzerland!

bye
_________________________
crazymelki.com

Top
#269075 - 08/11/2005 15:27 Re: Help: Is my site accessible? [Re: crazymelki]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Okay, thanks.

I've undone my changes from last night, so things are fine for the moment.

But I'll ask for more help in a bit, once I read up some on routing with multiple upstream links.

Thanks.

Top
#269076 - 08/11/2005 16:23 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
How about now: what does this do:

http://rtr.ca/ <-- probably is fine

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks

Top
#269077 - 08/11/2005 16:27 Re: Help: Is my site accessible? [Re: mlord]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
Quote:
How about now: what does this do:

http://rtr.ca/ <-- probably is fine



This is fine

Quote:

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks


Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server.
_________________________
Chad

Top
#269078 - 08/11/2005 16:28 Re: Help: Is my site accessible? [Re: Attack]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Quote:

Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server.


Oh, good! That might mean I've actually fixed things (apart from apache itself).

Thanks.

Top
#269079 - 08/11/2005 19:34 Re: Help: Is my site accessible? [Re: mlord]
petteri
addict

Registered: 02/08/2004
Posts: 434
Loc: Helsinki, Finland
Quote:
How about now: what does this do:

http://rtr.ca/ <-- probably is fine

and what does this do:

http://64.26.128.89/ <--- probably not fine, but does it timeout, or give an error back instead?

thanks


I'm getting

"Access Denied
You don't have permission to access the requested object. It is either read-protected or not readable by the server."

to both of the above links.

Top
#269080 - 08/11/2005 19:49 Re: Help: Is my site accessible? [Re: petteri]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).

Web access direct to either address should give an apache error ("access denied"), rather than a simple timeout..

Web access directly to rtr.ca, via a nameserver that knows about it, should work. But that will take a day or so to propagate. Meanwhile, I might try to fix my apache config to work regardless..

Can you folks ping me? What does a hostname lookup resolve to for "rtr.ca" ?

Thanks again!

Top
#269081 - 08/11/2005 20:02 Re: Help: Is my site accessible? [Re: mlord]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
Code:

# host rtr.ca 206.13.31.12
Using domain server:
Name: 206.13.31.12
Address: 206.13.31.12#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 206.13.28.12
Using domain server:
Name: 206.13.28.12
Address: 206.13.28.12#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 4.2.2.1
Using domain server:
Name: 4.2.2.1
Address: 4.2.2.1#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 216.231.41.2
Using domain server:
Name: 216.231.41.2
Address: 216.231.41.2#53
Aliases:

rtr.ca has address 64.26.128.89

# host rtr.ca 64.81.79.2
Using domain server:
Name: 64.81.79.2
Address: 64.81.79.2#53
Aliases:

rtr.ca has address 207.236.110.166

_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#269082 - 08/11/2005 20:19 Re: Help: Is my site accessible? [Re: ricin]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.
_________________________
~ John

Top
#269083 - 08/11/2005 20:28 Re: Help: Is my site accessible? [Re: JBjorgen]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Quote:
I get access denied when I visit rtr.ca. My nameserver is pointing to 207.236.110.166.


Cool. Does it work now?

Thanks

Top
#269084 - 08/11/2005 20:49 Re: Help: Is my site accessible? [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Here's a question for Bitt, or anyone else versed in ip routing..

So my new setup is temporarily using BOTH xDSL lines. One of the lines hosts my domain at the new address, the other still responds to the old address for the time being.

The same firewall machine provides NAT for the internal network, and hosts a webserver (rtr.ca).

None of my internal machines can even ping (let along surf) the webserver using either external address. This means that I get NOTHING when I click on the "Home Docks" link at the top of this page. Pinging/surfing the internal address (third NIC) works okay. This is not a firewall config issue (no logs), but rather a routing issue of some kind.

What must I do to make this work?

Current routing table is below, where 10.0.0.2 is the firewall machine, eth1 (10.0.0.2) is the internal NIC, and eth0 and ppp0 are the external interfaces, and
Code:
[zippy:/] ip route

64.26.128.1 dev ppp0 scope link src 64.26.128.89
207.236.110.0/24 dev eth0 scope link src 207.236.110.166
10.0.0.0/8 dev eth1 scope link src 10.0.0.2
default
nexthop via 207.236.110.1 dev eth0 weight 1
nexthop via 64.26.128.1 dev ppp0 weight 1



Edited by mlord (08/11/2005 20:53)

Top
#269085 - 08/11/2005 20:56 Re: Help: Is my site accessible? [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?

Yeah, that's not going to work.

There's no good reason for it not to work beyond "people who write NATs don't bother to implement that case". You'll need to run two DNS servers, one for your internal clients so that they can get the internal IP addresses for your hostnames and one for the rest of the world.

Alternately, you could look for NAT software that implements that case properly, but they're few and far between, if they exist at all, and if they do, I don't know which they are.

Or is the firewall and the webserver the same machine? If that's the case, it should work, but you may be hitting on the problem above. If so, you should be able to reconfigure your firewall to not NAT when going to the globally routed addresses that are on the NAT machine.


Edited by wfaulk (08/11/2005 21:00)
_________________________
Bitt Faulk

Top
#269086 - 08/11/2005 20:58 Re: Help: Is my site accessible? [Re: mlord]
Mataglap
enthusiast

Registered: 11/06/2003
Posts: 384
Many, possibly it's even fair to say most, NAT implementations behave the way you describe: traffic from behind the NAT to a public IP address in the same subnet as the NAT address simply doesn't work.

It's almost always not a routing issue but rather a limitation of the firewall implementation that really should have been addressed a long time ago, but many implementatins -- even "enterprise" class gear -- still don't work around it.

--Nathan

Top
#269087 - 08/11/2005 21:05 Re: Help: Is my site accessible? [Re: mlord]
Mataglap
enthusiast

Registered: 11/06/2003
Posts: 384
Quote:
Okay, one more time: DNS is updated now, and my site *should* be responding to pings to both addresses: 207.236.110.166 (old), and 64.26.128.89 (new).


Code:
[nathan@heorot nathan]$ dig rtr.ca

; <<>> DiG 9.2.1 <<>> rtr.ca
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28501
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2

;; QUESTION SECTION:
;rtr.ca. IN A

;; ANSWER SECTION:
rtr.ca. 23604 IN A 207.236.110.166

;; AUTHORITY SECTION:
rtr.ca. 23604 IN NS ns2.granitecanyon.com.
rtr.ca. 23604 IN NS ns1.rtr.ca.
rtr.ca. 23604 IN NS ns1.granitecanyon.com.

;; ADDITIONAL SECTION:
ns1.granitecanyon.com. 153208 IN A 205.166.226.38
ns2.granitecanyon.com. 153208 IN A 69.67.108.10

;; Query time: 27 msec
;; SERVER: 192.168.168.2#53(192.168.168.2)
;; WHEN: Tue Nov 8 15:00:37 2005
;; MSG SIZE rcvd: 143

[nathan@heorot nathan]$



So the new address is out there, but because of the TTL for the record anyone who did a lookup and got the old address is going to have to wait ~23604 seconds before that lookup expires from their local cache. (Or get their DNS server flushed, but most operators won't do that.)

So the folks who have been helpful before aren't going to be able to be of much help until that TTL expires.

--Nathan

Top
#269088 - 08/11/2005 21:23 Re: Help: Is my site accessible? [Re: wfaulk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Quote:
So, to be clear, you're trying to use your internal machines to connect to an external IP address that's actually a NATted address for an internal machine, right?


My gateway machine has 2 external addresses, and one internal address. The internal address connects to our internal LAN. Clients on the internal LAN would like to be able to access the external IP addresses of the gateway machine.

This actually worked, until I modified the routing tables to accept traffic from both external interfaces, but now it does not work. It had been working for years.

Once the nameservers finally update and everyone stops using the old external address, I can disconnect that link, restore the original very simple routing table, and my inside clients should again be able to access the external IP addresses of the gateway. But I'd like to have it working regardless, in case I decide to keep both external IP connections..

Cheers

Top
Page 1 of 2 1 2 >