Status Checks Incorrect

I have my mail server behind a firewall and have made sure to open all the correct ports. The status checks page says that no service is publicly accessible, the Name server glue records are not set and the MX records are not set.

The box is hosting it’s own dns and handles email fine. I ran host ns1.box.MYDOMAIN.us and host -t ns MYDOMAIN.us on the box which came back as not found: 2(SERVFAIL)

I ran the commands on another server and they successfully resolved.

Do you mean you’re not using the built in MIAB UFW firewall, but using your own (maybe hardware?)
Or maybe both? If you issue the following command: ufw status numbered
be sure that all those ports are also open in your other firewall, also would help if you can post the output of that command (okay to redact IP/hostnames if they are in there)

I run several servers but only have access to one public ip address so I have MIAB configured behind a pfsense firewall with the necessary ports forwarded. I haven’t disabled the MIAB UFW firewall.

Here is the output

Status: active

 To                         Action          From
 --                         ------          ----

[ 1] 22 ALLOW INAnywhere
[ 2] 53 ALLOW IN Anywhere
[ 3] 25/tcp ALLOW IN Anywhere
[ 4] 587 ALLOW IN Anywhere
[ 5] 993 ALLOW IN Anywhere
[ 6] 995 ALLOW IN Anywhere
[ 7] 80 ALLOW IN Anywhere
[ 8] 443 ALLOW IN Anywhere
[ 9] 4190/tcp ALLOW IN Anywhere
[10] 22 (v6) ALLOW IN Anywhere (v6)
[11] 53 (v6) ALLOW IN Anywhere (v6)
[12] 25/tcp (v6) ALLOW IN Anywhere (v6)
[13] 587 (v6) ALLOW IN Anywhere (v6)
[14] 993 (v6) ALLOW IN Anywhere (v6)
[15] 995 (v6) ALLOW IN Anywhere (v6)
[16] 80 (v6) ALLOW IN Anywhere (v6)
[17] 443 (v6) ALLOW IN Anywhere (v6)
[18] 4190/tcp (v6) ALLOW IN Anywhere (v6)

(sorry about the bad formatting. It didn’t copy and paste well)

I don’t have ipv6 yet so those aren’t allowed through the firewall. The only port I was missing in pfsense was port 587

I looked in nsd.conf saw that my private ip address was there instead of the public ip address. Could this cause any issues?

EDIT: The Pfsense router is set to pass any traffic through the forwarded ports. There aren’t any advanced features enabled besides what type of traffic can be passed through certain ports (tcp/udp)

My public IP is in this file: ip-address: x.x.x.x
/etc/nsd/nsd.conf

so maybe your’s having the private address is it — but the MIAB install should have set it up properly, unless it had some issues behind behind your pfsense firewall or something.

but, I think maybe you need to make sure all the ports in your list is fwd to the mail server and make sure the udp/tcp is proper as well.

Also, you can always put your MIAB server in the DMZ and see if it works there, then if it does, you’ll know it’s a pfsense fwd issue.

Sorry about the late reply. I searched through all the logs and nothing has been blocked pertaining to the port forwards. Could this be an issue with DNS forwarding or something through pfsense. I’m not very familiar with DNS.

Anyone have any ideas? Everything seems to function normally except it will not allow me to get a let’s encrypt certificate with these errors. I forwarded all ports tcp and udp through my firewall but nothing seemed to change.

When I run host ns1.box.domain.com it reports Host ns1.box.domain.com not found: 2(SERVFAIL)
Also, when I run host -t ns domain.com It also reports Host domain.com not found: 2(SERVFAIL)

EDIT: A clean reinstall does not fix this. Is it possible a configuration file has the private ip adress instead of the public one?

Bump. Does anyone have any ideas here?

It’s to do with being behind a NAT. I had the same trouble running MiaB within an LXC container.

I had to turn on something called “NAT hairpinning” on the virtual bridge I was using. Try searching for something like that for your pfSense firewall.

It’s a bit complicated, but basically the issue is that the traffic generated by the status checks reaches your NAT/firewall, and then doesn’t get routed back to your box like you’d think it would. This is because your firewall is only configured to forward external “incoming” packets to your box, but it sees this traffic as “internal” traffic that’s trying to get to your public IP. Since the firewall is your public IP, it thinks that the traffic has reached its destination, and it just dies there.

This only happens when the box tries to talk to itself over the public IP. That’s why all the external stuff is probably working just fine, and also why you can access the box over its internal IP without any issues.

What you need is a way for the firewall to know to treat traffic coming from your internal box IP that’s bound for your public IP the same as incoming traffic, and forward it back to your MiaB IP accordingly.

That’s what hairpinning does.

Hope that made sense.

Thanks! That worked perfectly. I hadn’t seen a nat hairpinning option before. This should probably be included on the setup page.

hi friends,

Can you do a screen capture of where you enabled his “hair pin”? thanks in advance…

I currently have run into similar issue…

It’s in System > Advanced > Firewall & NAT. Set “NAT Reflection mode for port forwards” to “Pure NAT”, and enable “Enable automatic outbound NAT for Reflection” (plus “Enable NAT Reflection for 1:1 NAT” if relevant). You can also set the reflection mode on the individual NAT rules pertaining to your MIAB host if you’d prefer not to enable this globally. (Say, if you use split DNS and don’t actually need reflection for anything other than MIAB’s verification page.)

Also be aware, if you’re using IP aliases in your NAT rules, they’ll have to be pointing at an actual IP address, not a hostname. pfSense won’t know which interface to add the additional NAT rules to otherwise https://redmine.pfsense.org/issues/8233.

1 Like