I think I’m going crazy! I think I’ll write a book about this when they lock me away!
Here’s the story:
I have a working Centos 7,3 server, with apace, 2 x virtual named website and Let’s Encrypt SSL Certificates.
I decided to upgrade. I chose Alma Linux
I installed a nice new Alma 8.6 server. Installed Apache, MySQL, FTP. Everything working fine. BUT…
From Inside the server, everything works fine, but from OUTSIDE - NOTHING.
Once the server was configured, I moved the two virtual webservers /etc/httpd/conf.d I moved the servers to /var/www/server1, /var/www.server2.
I went into the DNS and changed the internal IP from .203 to 213 (old → new.) with the new server name.
We have an OPNsense Firewall. I created the virtual IPs, the NAT Port Forwarding the Alias and the rules identical to the old Centos server (but obviously with the new IP addresses.
I can ping anything from the centos box.
7 On the Alma box, I can PING the external IP address but if i put it into the browser http://xxx.xxx.xxx.xxx (the external address of the internet, NOTHING, it times out.
I can’t even Telnet to Port 80 using the EXTERNAL Ip address (or any other port)
Now for the final weirdo. If I switch on the old Centos 7.3 server, then the Alma server starts working. and I can access the external server. I am connected to the internet right now ON THE ALMA SERVER, so there is internet. just not to my external IP addresses.
I’ve gone over the firewall rules with a tooth comb. It isn’t there. I’m stumped and if I can’t find it soon, I’ll just have to stick with centos 7.3. It works fine.
I go to my workststion, pull up Firefox - REPEAT the above, same story.
I Type at either Alma or my PC, ping external IP address - works perfectly.
FYI I have a /29 subnet that I pay for from EDPNet. They are the external IP’s I refer to. I only use three, one for mail server, one for the CentOS 7.3 box, (which would be taken down IF I get Alma to work and one for Alma. The other three aren’t being used at this time.
In other words, the router (OPNsense) has three external addresses.
When you (on Alma) try to access the “Apache”, packets leave with internal address of Alma and go to internal address for router. Router then forwards them to internal address of Alma and Apache receives them.
The Apache sends replies to the sender of the incoming packets. If the router does not sNAT, the “sender” is Alma’s internal address. Your browser did send to “external address”, which never replies, but something “unrelated” in localhost does pretend to reply.
Alternatively, the Apache does not reply (config, firewall, etc). That is, have you verified that you can connect to the Apache at the internal address? If not, then we don’t know where the problem is. If internal connections work, and not just from same machine (Alma), but also from other machines in the internal network, then we know that issue is with router.
Additional point is, can a client in internal or external network access via the external address even if client in Alma can’t?
Let me first state again. As far as I know, both centos and Alma are configured EXACTLY the same on OPNsense as well as internally.
On CentOS, I can write to both Forums and all users can connect. On the SFTP, I can access it from or with Filezilla and so can my users.
On Alma (and I have to restate I have a GUI on the box). I can load Firefox, type in server1.MyDomainFQDN and I can write to and work on the forum, but only ONE of them. Both named servers give the same result.
From a workstation or one of my customers. type into a browser, server1.MyDomainFQDN results in a timeout.
If I load Firefox on Alma and type in http://localhost or 127.0.0.1 or the INTERNAL Ip address I get one of the forums.
If still on Alma Firefox I type http://EXTERNAL IP address I get Timeout.
Now I switch on centos and login, so both servers are running.
Back to Alma http://
using the EXTERNAL IP address
IP address I get the test page
http://
webserver1.MyDomainFQDN It comes up with unverified certificate bit loads the test page https, same with the other server2.
From a PC. I try to connect to Alma with Filezilla’s using Alma’s EXTERNAL IP and it times out
I try to connect to centos with the external IP and it works.
I figure I must have screwed up something, but I just can’t find it.
It isn’t my fault I can’t put the disguised links in blame your forum software.
WAN, A.B.C.200/29 (net A.B.C.200, bcast A.B.C.207) --Note: .203 and .213 are on different /29 subnets.
Host “Router”
Address 10.0.0.1 on LAN
Addresses A.B.C.202 and A.B.C.203 on WAN
Host “Alma”
Address 10.0.0.2 on LAN
Host “PC”
Address 10.0.0.3 on LAN
Host “Laptop”
Address on WAN
The Router does DNAT traffic from WAN to A.B.C.203:80 into 10.0.0.2:80
DNS resolves “web1” into A.B.C.203
DNS resolves “web2” into A.B.C.203
I don’t know HTTP, but I guess that HTTP-packet contains URL and that Apache can differentiate on that. Therefore, these four packets can get different response:
To 10.0.0.2 with URL “A.B.C.203”
To 10.0.0.2 with URL “10.0.0.2”
To 10.0.0.2 with URL “web1”
To 10.0.0.2 with URL “web2”
Both on PC and Alma you should be able to override the name resolution to make “web1” and “web2” to resolve to 10.0.0.2
Therefore, browser on PC and browser on Alma should be able to send three of the packets above into Apache that is on Alma.
What are the results of those six cases?
The Laptop does not know about 10.0.0.0/24, so it can send to “web1”, “web2”, and “A.B.C.203”. You can listen on Alma with tcpdump when Laptop attempts connection. Do you see packets then, i.e. does router forward? What “src” and “dst” do those packets have?
On CentOS 7 it works fine.
The only difference between the 2 servers is the OS and the name.
The webservers in httpd/conf.d are the same ones from centos 7. The files and the databases fron the SMF forums are identical to the ones on CentOS 7.
The DNS entries for Cento 7 must resolve correctly or it wouldn’t work, would it?
All I did to the DNS was enter a new server name and the server1, server2 (SMF forum) names. I changed from 192.168.x.203 to 213. (Alma)
On the Dynu DNS, I changed the IP addresses for server1, server2 to xxx.xxx.xxx.60, it was xxx.xxx.xxx.58
I cloned the Alias, the Virtual IP, the NAT–>Portforwarding and the rules from ther CentOS 7 ones and changed names and IP addresses. That’s all.
Last night, I changed the DNS back to the old settings. so my two SMF forums are working again.
I restored the original Alma installation 192.168.x.213 and the only DNS entry now is for Alma.
Both forums are live. No I have to fugure out why Alma isn’t working, so I’m going to create a brand new forum and enter it isnto the DNS and see if it works. If not, I’ll get back to you.