This is my first OPNsense install. I'm moving from a working Asus router and keeping everything on my home network the same (except the router) in order to get things working as a start point. So far ALMOST everything is working, except:
I have a NextCloud instance running in a container on an Unraid Server, which also hosts a SWAG reverse proxy. Nothing changed there. On OPNsense I have set up DDNS (ddclient using Cloudflare) and the port forwarding to match my previous configuration.
However, when I try to access NextCloud from the Internet I get an Invalid Certificate error. It says my site "has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can't add an exception to visit this site."
The certificate it sees is the one I added to replace the self-signed certificate (using ACMEClient) so I can access the OPNsense GUI internally without the error.
Did I do something wrong? OR
Do I need to add another outward-facing certificate? (If so can you point me to any how-to instructions?)
I didn't need this before, but perhaps OPNsense is just more secure.
Thanks for any help!
If the OpnSense is presented for the port-forward (which is the reason for the error message), then I can only imagine these cases this goes wrong:
1. You tried to use 443 as the port forward and still have OpnSense listen to the same port (and on all interfaces).
2. You do not use the correct port in your external URL, like you forget to add it in "https://somewhere.dyndns.org:5555".
3. Nextcloud does not know about its "real" external URL and rewrites some ressource URLs to absolute values lacking the port (e.g. 5555).
4. You have set up a transparent proxy and all traffic gets intercepted.
Hi,
HSTS complains about the wrong certificate. Most likely option 1 is your problem:
Make sure the OPNSense Webgui is NOT listening on Port 443 on WAN. Give it a different port number. Otherwise, your port forward will fail. You can use ports on an IP address only once.
Thank you. Yes, (1) makes sense and changing the port for OPNsense did stop the certificate error.
Based on this suggestion I did some research and sure enough, Asus uses port 8443 for its router GUI. Hence no issues before.
I should probably make this a different post but it follows on from the above:
I am posting this issue to a separate thread to avoid confusion with the subject line. The certificate issue is resolved.
Changing the Opnsense port allowed me to access to my Nextcloud instance from the WAN, however when I try to access it from the LAN side I get "the server where this page is isn't responding". (blank page)
I assume it's something related to port forwarding or DNS, but I'm not sure where to look.
Thanks
Look into the official documentation for "NAT reflection"
"Look into the official documentation for "NAT reflection""
The official docs are a bit steep for this newbie, but that was exactly the clue I needed to start researching and I found the tips I needed. THANK YOU @meyergru! You are indeed a hero.
In particular: FIREWALL > SETTINGS > ADVANCED > Network Address Translation
The key was enabling the following settings:
ENABLED - Reflection for port forwards
ENABLED - Reflection for 1:1
ENABLED - Automatic outbound NAT for Reflection
Hope that helps someone else.