Access FreeNAS Jail From outside local network not working

[SamMachine]

Hi everyone, as a disclaimer, I am a newbie with FreeNAS and using Jails so don't hate too much.

My question is that I want to access my website which I have running inside a jail on my freenas machine. It is running build 11.0-U2 and the jail has apache24 installed. I can access it fine using the local IP on my network but when I type the public IP of the jail into my browser, it says, "This site can't be reached" 24.16.xxx.xxx took too long to respond.

Currently, I am forwarding port 80 on my router to get to my localhost but still no luck.

Sorry if It seems dumb and the answer is really simple but I have been looking how to fix it for a while but nothing has helped.

 

[Basil Hendroff]

Have you verified external access is working? https://canyouseeme.org/

 

[kdragon75]

Also NAT reflection would be needed. At least I think that's what it called.

 

[SamMachine]

so here is an update, for some reason, the public IP I was using was the wrong one. I used a command to print the public IP, It was supposed to print out its public IP. I assumed it was right but it was the wrong command.

what is the best command to get the public IP in freenas?

 

[Heracles]

Hi Sam,

From a browser, you can go on a web site like myipaddress.com and it will show you the IP address you are using when surfing. You can also ask Google by doing a search about "what is my ip address".

Other options would be to use dynamic DNS. A dynamic DNS will monitor the external IP address and will update a DNS record for you. That way, you can refer to your connection using that DNS name instead of an IP address.

Hope this will give you some ideas,

 

[SamMachine]

Hi Sam,

From a browser, you can go on a web site like myipaddress.com and it will show you the IP address you are using when surfing. You can also ask Google by doing a search about "what is my IP address".

Other options would be to use dynamic DNS. A dynamic DNS will monitor the external IP address and will update a DNS record for you. That way, you can refer to your connection using that DNS name instead of an IP address.

Hope this will give you some ideas,

Sorry if I wasn't being clear on my question, I meant to ask how to find the public IP of my freeNAS jail, not the system that I am using to login to my freeNAS GUI interface.

 

[Heracles]

Hi again,

Unless you have multiple Internet addresses on your router, everything behind that router will be behind the same IP address. So how is your network designed ? An Internet router receives a single IP address and gives Internet access to everything behind it ? Then everyone behind that router is to be reached over the very same IP address. No matter FreeNAS, a jail or anything else. Everything will be behind that single IP.

If your setup is different, then you will have to detail it a little more...

 

[SamMachine]

ok got it,

so when I used canyouseeme.org I got the following message.

Error: I could not see your service on 24.16.xxx.xxx on port (80)
Reason: Connection timed out

 

[Heracles]

Hi again,

A lot of ISPs are blocking incoming connections to port 80, including mine. It can be your case... Maybe your ISP is blocking connection request towards port 80.

Actually, they can block all incoming request because they consider that, as a client, you are not supposed to run a server. So what is your ISP's policy about hosting a server yourself ?

If your ISP let it go, did you configured port forwarding in your router for that ? When you go out, the router takes note of the packet going out and when the reply comes back, the router know who asked for it and can forward the reply to that host. But for incoming connections, the router has no way to know who is supposed to receive that packet. For that, you need to configure port forwarding, telling your router that any incoming connection to port X is to be forwarded to internal IP A.B.C.D.

 

[SamMachine]

Hi again,

A lot of ISPs are blocking incoming connections to port 80, including mine. It can be your case... Maybe your ISP is blocking connection request towards port 80.

Actually, they can block all incoming request because they consider that, as a client, you are not supposed to run a server. So what is your ISP's policy about hosting a server yourself ?

If your ISP let it go, did you configured port forwarding in your router for that ? When you go out, the router takes note of the packet going out and when the reply comes back, the router know who asked for it and can forward the reply to that host. But for incoming connections, the router has no way to know who is supposed to receive that packet. For that, you need to configure port forwarding, telling your router that any incoming connection to port X is to be forwarded to internal IP A.B.C.D.

Ok, I have got it to work, I think my ISP blocks ports 80 and 25 but if you open all ports (DMZ setting) the ports that are required will open up. Setting up the DMZ to enable for my jail fixed the problem. Thank You everyone. :)

 

[Heracles]

One minute here...

Are you aware of the consequences of what you just did ?

That setting does not forward 1 port to your internal system. It forwards ALL ports and EVERYTHING to your internal system. Consider that by now, this system is 100% exposed to Internet without any protection. I advise you against using that DMZ mode. To expose a single port to Internet is already a risk. To expose all of them is way too risky for the benefit.

Please, read about how to configure your router and forward only the strict minimum to your internal host instead of using DMZ mode if you are not ready to acknowledge yourself as bare naked on the public place in front of everybody....

 

[SamMachine]

One minute here...

Are you aware of the consequences of what you just did ?

That setting does not forward 1 port to your internal system. It forwards ALL ports and EVERYTHING to your internal system. Consider that by now, this system is 100% exposed to Internet without any protection. I advise you against using that DMZ mode. To expose a single port to Internet is already a risk. To expose all of them is way too risky for the benefit.

Please, read about how to configure your router and forward only the strict minimum to your internal host instead of using DMZ mode if you are not ready to acknowledge yourself as bare naked on the public place in front of everybody....

I do know what DMZ does but how come when I use port checker to my IP it says that only port 80 is open and all other ports are closed? Is it because port 80 is the only one that is online? Also, what can hackers do if the local IP which has all ports open are in a jail?

 

[kdragon75]

Lol I'll just do a port scan now... I'll let you know when I hack your system.

 

[kdragon75]

I do know what DMZ does but how come when I use port checker to my IP it says that only port 80 is open and all other ports are closed? Is it because port 80 is the only one that is online? Also, what can hackers do if the local IP which has all ports open are in a jail?

Does you jail use the same CPU, memory, and disks as the rest of your FreeNAS? Would it ruin you day if someone sent millions of people span and got you in banned form half the internet and you isp cancelled your account?

 

[SweetAndLow]

I do know what DMZ does but how come when I use port checker to my IP it says that only port 80 is open and all other ports are closed? Is it because port 80 is the only one that is online? Also, what can hackers do if the local IP which has all ports open are in a jail?

If you can't get a Port forward to work you should definitely not be using a dmz. This jail won't last a week. And probably your whole network.

 

[SamMachine]

ok lol, I know that was really stupid and I only kept it on for a couple of minutes, I port forwarded port 80 now and it works. I had to change another thing in my routers firewall to add an exception so now all works well and http is the only port that is open to my jail.

 

[kera]

Hello. I have problem with port forwarding.
I have truenas and webserver in a jail.
I can connect from my public_ip:port to my 192.168.1.11 (freenas page),
but i cant the same way connect to jail webserver public_ip:port to my 192.168.1.222 (webserver apache24 page).
Port is same, i change only ip from truenas to webserver.
Lan is working fine, but Van not.

Is any firewall in truenas or something, what is blocking my webserver in jail?

i am googling for solution maybe 3 days.

Please help.

 

[Samuel Tai]

Probably something simpler. Did you define a default gateway in the jail?

 

[kera]

Probably something simpler. Did you define a default gateway in the jail?

Yes
IPv4 interface: vnet0, ip address: 192.168.1.222, netmask: 24, default gateway 192.168.1.1(my router ip),

 

[SweetAndLow]

Yes
IPv4 interface: vnet0, ip address: 192.168.1.222, netmask: 24, default gateway 192.168.1.1(my router ip),

Does the web server work locally on the lan? If it does then your port forwarding is messed up. If not then get your web server working locally first.

Also never put your freenas home page exposed to the internet, that's asking to get hacked.