Server currently unavailable for NAT IP issue

Musab · June 26, 2018, 10:41am

Hey guys,

Continuing the discussion from Server currently unavailable for NAT IP:

I have the same issue as it showed above, when I tried to fix with the same recommendations, I find out that I’m using a Firewall not a load balancer
so how can I fix this issue, considering that I’m already configured the port forwarding and everything seems okay.

jan · June 26, 2018, 1:04pm

What is your current configuration?
What is your goal?
- access GL only from outside?
- access GL only from the inside?
- access GL from both locations?
What is your Network diagram for that environment?

Musab · June 27, 2018, 9:05am

rest_listen_uri = 0.0.0.0:9000/api , web_listen_uri = 0.0.0.0:9000 , rest_transport_uri = 0.0.0.0:12900/api
the goal is to access GL from both locations.
we’re using qemu/kvm environment, where the GL is installed on a VM behind a FW vm.

jan · June 27, 2018, 10:15am

as ask, a network diagram would help …

Musab · June 27, 2018, 10:25am

yes , as I said the vm that GL is installed on is NATted by the Firewall vm

jan · June 27, 2018, 12:34pm

you should read the comments to the three options.

rest_listen_uri
web_listen_uri
rest_transport_uri

github.com

Graylog2/graylog2-server/blob/2.4/misc/graylog.conf#L79-L81


# REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
# When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
rest_listen_uri = http://127.0.0.1:9000/api/

github.com

Graylog2/graylog2-server/blob/2.4/misc/graylog.conf#L83-L90


# REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
# the scheme, host name or URI.
# This must not contain a wildcard address (0.0.0.0).
#rest_transport_uri = http://192.168.1.1:9000/api/

github.com

Graylog2/graylog2-server/blob/2.4/misc/graylog.conf#L129-L132


# Web interface listen URI.
# Configuring a path for the URI here effectively prefixes all URIs in the web interface. This is a replacement
# for the application.context configuration parameter in pre-2.0 versions of the Graylog web interface.
#web_listen_uri = http://127.0.0.1:9000/

You have one Server - so rest_transport_uri is not needed. But what you need is web_endpoint_uri set to the URI of your Firewall.

github.com

Graylog2/graylog2-server/blob/2.4/misc/graylog.conf#L134-L136


# Web interface endpoint URI. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL header.
# Default: $rest_transport_uri
#web_endpoint_uri =

Musab · July 3, 2018, 9:17am

Hi,
as you see in the attached screen shot, it happens when I’m trying access it from Internet.

And, can you please explain how can I setup web_endpoint_uri? Can i just use Firewall public IP?

jochen · July 3, 2018, 9:25am

192.168.100.200 is not a publicly routed IP address (see RFC 1918).

web_endpoint_uri has to be set to the public URI of the Graylog REST API. If the “Firewall public IP" is the URI of the Graylog REST API reachable from the public Internet, then by all means use that in your configuration.

Musab · July 3, 2018, 9:45am

Hi jochen,

as I mentioned to jan, the graylog is installed on a vm which NATted by the same firewall.

for this point, Do I need to configure something in graylog to use firewall public IP as graylog REST API ?

jochen · July 3, 2018, 10:28am

This naturally depends on your specific network setup, but setting rest_listen_uri to http://0.0.0.0:9000/api should be fine.

Musab · July 3, 2018, 10:38am

well, I’m already done this but still

jochen · July 3, 2018, 10:55am

Please answer all questions asked by @jan in detail:

Musab · July 3, 2018, 11:05am

as I answered here

And I will follow the configuration with another comment

jochen · July 3, 2018, 11:28am

What exactly are “both locations”?
Where’s the network diagram?

Musab · July 3, 2018, 11:40am

for “both locations”, what I mean is as jan asked,

and for the network diagram, I have described before how the graylog is connected in the network ! as I said here

And here :

jochen · July 3, 2018, 11:44am

What exactly is “inside” and “outside”?

And is the “FW vm” directly connected to the Internet?
How’s routing configured?
Which networking layer is the “FW vm” working on? Layer 2, 3, or higher?

I’ll stop in this thread now, since the required details to understand your setup aren’t there.

Musab · July 3, 2018, 11:54am

the firewall has an interface outside and one is inside, the vm which the GL is installed on is in inside.

all the internal vms are NATted and routed to outside.

I’m using pfSense, so I think it’s on Layer 3

as you like.

system · July 17, 2018, 11:55am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Server currently unavailable for NAT IP Graylog Central (peer support)	5	1773	December 27, 2017
Cannot access web interface for Graylog Graylog Central (peer support)	21	14077	March 26, 2020
Problem Accessing Graylog webinterface via NAT Graylog Central (peer support)	6	542	October 4, 2019
Can't connect to web Graylog Central (peer support)	8	4689	July 5, 2018
Unable to Access Web Interface on Cloud Virtual Machines Graylog Central (peer support)	1	915	May 3, 2017

Server currently unavailable for NAT IP issue

Related Topics