Solved

Cannot tracert external IP of my firewall.

Posted on 2007-11-18
8
2,134 Views
Last Modified: 2013-12-19
I just installed a secondhand Watchguard Firebox SOHO 6tc and have been working to set it up.  At this time, I am comfortable with setting allowances/restrictions on incoming and outgoing traffic with one exception.  I cannot communicate with my external IP address.  For example, if I set up an FTP server in my network and make the appropriate allowances, people outside of my network can use my FTP server.  I, on the other hand, cannot.  For some reason, I can't communicate with my external IP address while others can.  They are only restricted by my incoming permissions where I can't figure out how to allow myself access to anything.  If I tracert my external IP, it starts timing out as soon as it gets to the point where it would be going through my firewall.  (My firewall never shows up in the tracert if I try my external IP)  If I tracert another IP (such as google), my firewall shows up right before the trace hits my ISP.  Any ideas?  
0
Comment
Question by:Petra_fan1
  • 4
  • 3
8 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 20311748
> For some reason, I can't communicate with my external IP address while others can.

from external side or internal?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20313362
I am not sure about the tracert it should work, check with your ISP if they are blocking anything, for the FTP or any other server hosted behind WG SOHO6tc, I think the problem you have is, others can communicate with FTP using the public IP but you are not able to do so with the external or public IP; you would be needed to use internal or private IP instead.
If you have domain setup then you should either configure a setting in the hosts file [%windir%/system32/drivers/etc/hosts] which would translate your domain to the internal IP address or if you have a internal DNS Server configure it as caching server for domain which would redirect all internal request to the internal IP.

Please let know if I am able to answer your question.

Thank you,
0
 

Author Comment

by:Petra_fan1
ID: 20590926
Alright, for clarification:
From inside of my network, if I type my external IP address (or DNS name I registered to my public IP) into my browser, I get nothing.  The page times out.
From outside of my network, if I type my external IP address (or DNS name I registered to my public IP) into my browser, I get my website.
In both cases, if I ping my DNS name, it resolves to my external IP address, so I know its not an issue with DNS in my network.

Before using this Firebox, I had a router in the same position of the network, and everything worked fine.  With this said, I thought it might be something I'm blocking with my firewall configuration, but if it was, than I shouldn't be able to access other websites from inside of my network or my website from outside of my network, right?

Any thoughts?  Thanks for the help.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 32

Accepted Solution

by:
dpk_wal earned 250 total points
ID: 20592563
Let me explain what is happening:

With most of the networking devices, ingress interface cannot be same as the egress interface.

Now when you use external IP or DNS name the packets go out of SOHO and would come back on the same interface which is not supported. Few vendors, like Cisco implement something called hairpin for such connections; however, WG does not implement hairpin.

So, the solution is to have the internal machines do not send request out but rather query the internal server; so you can modify the hosts file on the individual machines or if you have an internal DNS caching server you can have it redirect all the request for DNS name to the internal IP.
With external  IP of the website it would not work behind WG at all.

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:Petra_fan1
ID: 20592580
That is the answer I was looking for.  Unfortunately, its not the answer I wanted, but it makes perfect sense when put that way.  I have modified my internal DNS system accordingly but have been running into some difficulty due to port/name relations where a firewall/router can specify ports and then the internal device recognizes names...But I'm working towards a solution with a reverse transparent proxy that I am trying to implement.  If I am correct, that should give me a solution I'll be happier with.  Thank you for your time.
0
 

Author Closing Comment

by:Petra_fan1
ID: 31409845
Thank you very much.  You explained that very well.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20592599
You are welcome. The proxy might help, but am not 100% sure; because if proxy would also query on the public IP then same thing would happen.

Thank you.
0
 

Author Comment

by:Petra_fan1
ID: 20592632
That's why my aim is to use that in conjunction with my internal DNS so all computers will be oblivious to the rerouting (which is why I am thinking of the transparent option).  Its kind of a hack idea, but I think it will work nicely when properly implemented.  It is a small enough network that it shouldn't be a problem (I hope.  LOL).  
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this network design suitable? 3 90
Windows Update Isn't working 41 171
BGP routing on Windows 2016 7 93
TCP Error code:Unable to connect to a banking site 4 52
A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question