Hello
Im really sorry to ask such a stupid question but I struggling with something on OPNsense. I have running Opensense as a VM in Unraid. I have setup port forward for 80 & 443 to NGINX Proxy manager.
The weird thing is, if I refresh/restart the NGINX container the ports open and all works well.... however this only lasts a couple of minutes before they close again and I cant access my websites.
I don't understand why or how they are being closed.
Here is a picture of my forward & Rules https://imgur.com/a/uTX5BIk
I am really sorry I am not a network engineer just a guy at home trying to do his best with what he has.
Any help would be great and thank you.
Not sure why you have so many rules for that, usually you would just open port 80 and 443 with destination "This Firewall" at the appropriate place, and start nginx.
There's not usually a need for NAT.
I was told on Reddit thats what I needed to do, being honest its a lot more complicated then I anticipated
Have you made sure the HTTPS Port you access the firewall with was changed from 443 to something else, like 4443 for example?
System: Settings: Administration: TCP port
Also if the NGINX runs behind the OPNsense as container, you need the NAT rules.
I assumed the nginx to be running on opnsense.
Quote from: bimbar on November 01, 2023, 10:51:13 AM
I assumed the nginx to be running on opnsense.
No a Docker in Unraid
Quote from: Monviech on November 01, 2023, 10:50:13 AM
Have you made sure the HTTPS Port you access the firewall with was changed from 443 to something else, like 4443 for example?
System: Settings: Administration: TCP port
Also if the NGINX runs behind the OPNsense as container, you need the NAT rules.
[/quote ]
I hadn't no but I have now :)
Quote from: Monviech on November 01, 2023, 10:50:13 AM
Have you made sure the HTTPS Port you access the firewall with was changed from 443 to something else, like 4443 for example?
System: Settings: Administration: TCP port
Also if the NGINX runs behind the OPNsense as container, you need the NAT rules.
You sir are amazing, 2 god dam days and that's what it was ! FML
Great, also good job at implementing Hairpinning :)
TBF that wasn't that bad, took about 3 mins, I went with option 2. that came from reddit but honestly, I have an issue with Reddit and Keyboard warriors I ended up getting in an argument with someone in self-hosted yesterday because he wanted to flex.
Im still getting around Opnsense and I was on the verge of going back to OpenWrt as I could get this to work. now this is working I can start getting it up and running as its pretty cool. Ive got my net data integration set up.
Its a shame it doesn't have a docker plugin.
Onto wireguard and OpenVPN now
Well there are jails on FreeBSD, a jail is like what a container is on linux.
https://forum.opnsense.org/index.php?topic=26975.0
any idea why this is now happening https://imgur.com/a/T8VDbGr seems laggy but I have plenty of cores
If you have performance problems maybe it's best to post an alternative thread in "Hardware" with your exact setup. I'm not sure I can help with that.
Quote from: Selfhoster on November 01, 2023, 11:15:16 AM
any idea why this is now happening https://imgur.com/a/T8VDbGr seems laggy but I have plenty of cores
If you're refering to the spinning checking for updates, that is using the system's dns settings as set by you, and we've seen a few cases of having ipv6 enabled when unnecessary and that, depending on the isp, might cause you a slow response.
its gone back and ports closing again now:(
Quote from: Selfhoster on November 01, 2023, 11:46:18 AM
its gone back and ports closing again now:(
Disclosure: I don't do docker nor containers.
That out of the way, what tells you ports are closed, where are the listeners?
So its staying Open for around 10 mins then closing all the ports again, very odd?
Quote from: cookiemonster on November 01, 2023, 11:52:16 AM
Quote from: Selfhoster on November 01, 2023, 11:46:18 AM
its gone back and ports closing again now:(
Disclosure: I don't do docker nor containers.
That out of the way, what tells you ports are closed, where are the listeners?
Im checking Via DYNU the company that host my domains, they are saying 80 & 443 are closed. Again the "fix" is to restart NGINX . Im not sure why it just decided to close them.. is there a timeout rule I'm missing?
There are timeout rules, it's called "states". If a state times out, the connection is closed. That's probably what makes it "look" like ports are closed, even if they are not. You can change the behavior of the OPNsense regarding states. Firewall: Settings: Advanced: Firewall Optimization or Schedule States. But be careful with those.
When you restart NGINX, the states are probably initiated again.
Check "Firewall: Diagnostics: States" and find the "Rule" that allows your port forward. Also look in Firewall: Diagnostics: Sessions" to see if the TCP Sessions Age and Expires is working correctly.
Quote from: Monviech on November 01, 2023, 01:00:53 PM
There are timeout rules, it's called "states". If a state times out, the connection is closed. That's probably what makes it "look" like ports are closed, even if they are not. You can change the behavior of the OPNsense regarding states. Firewall: Settings: Advanced: Firewall Optimization or Schedule States. But be careful with those.
When you restart NGINX, the states are probably initiated again.
Check "Firewall: Diagnostics: States" and find the "Rule" that allows your port forward. Also look in Firewall: Diagnostics: Sessions" to see if the TCP Sessions Age and Expires is working correctly.
that's all I can find for my https://imgur.com/a/lCLEdV1 "rule" oddly I cant find anything for my specific plan Rule called NGINX
You can only find a state from an external IP if it tries to access your nginx server. What I see here are only internal IP to internal IP connections.
Can you try to open the default webpage of your nginx server from a remote source (maybe your mobile phone) and see if the session establishes then?
it wont connect the page jsut tells me it cant complete the request.
but this comes up
all tcp 192.168.1.193:39402 213.120.42.217:443 192.168.1.100:443 TIME_WAIT:TIME_WAIT Reflection NAT Rule Webserver 443
maybe the nat reflection is interfering somehow?
Maybe it would be best if you deaktivate your current Outbound NAT and Port Forward rules, and start with a simple port forward without reflection. Then verify that your phone (Which should be connected to LTE, not to your Wifi) can connect to your NGINX server. If that works, you can continue again with the reflection rules.
doesnt make a diffrence
I guess I'm unable to help then.
I turned off the floating Rules and the Nats still nothing, again the only thing that works is resetting the docker but then it dies
if it helps im getting error 408 now
draw yourself a diagram of your setup, it'll help you and the forum to visualise
TBH im giving up, whilst its a nice bit of kit. spending 4 days just trying to get port forwarding to work properly is a joke.
Whatever it is it is 100% opnsense as I've just dialed up openwrt and it works without a hitch.
i did find this but it a lot didn't help me https://www.reddit.com/r/OPNsenseFirewall/comments/mcwqce/port_forwarding_to_nginx_proxy_on_other_server/
I might give myself a go with Swag and see if its just NGPM being awkward but if that doesn't work I will have to close it and move on.
ok i think im onto something, i have set all my Subsomains up as Conical names on DYNU. It is the subdomains having issues getting through the wall. Its also saying timeout so I'm not sure if there is a latency issue ?
My physical domain is not having an issue
So After everything i needed a separate Wan rule to open the ports as the automatic one just want cutting it!
i will say also i was using the "official" NPM I moved to the unofficial one which uses 1801 and 1443 instead of the normal ports.
Im not sure if this or the Wi-Fi rule helped but it this point I don't care as its finally working as intended.