OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: dudeman21 on June 03, 2018, 06:59:37 pm
-
Hello all,
I've been searching various forums for a while now and I can't find the answer to what I'm doing wrong.
What I want to do: access services that I run on my unraid server behind opnsense such as nextcloud using a public IP address over HTTPS, ex: nextcloud.example.com. The issue seems to be opnsense sending the requests to the WEB GUI instead of the NGINX server. I'm running the NGINX in an UNRaid docker on port 81 (HTTP) and 443(HTTPS) to avoid conflicts with the unraid web gui. I want to be able to type https://nextcloud.example.com and have it automatically redirect from 443 to port 444 on my local NGINX IP address.
On my DNS account at namecheap for example.com, I have:
Type | Host | Value |
A+DDNS | @ | WAN IP (108.x.x.x) |
CNAME | nextcloud | example.com. |
using nslookup, example.com and nextcloud.example.com correctly resolve to my WAN IP.
On OPNSense I have the following NAT->port forward settings:
(https://i.imgur.com/7VYhvlr.png)
when I type example.com from within the network, I get to the opnsense web gui and it gives an error "Potential DNS rebind attack". When I go to example.com from outside (on my phone's data), I get connection time out.
as a test, I changed to web gui to use port 445 as HTTPS, and if I go to example.com from within my network, it redirects to example.com:445, indicating the web gui is capturing the request. From outside, I just get connection timeout.
On my unraid Let'd Encrypt-NGINX docker, I get: "Timeout during connect (likely firewall problem)" on all the domains and subdomains it tries.
I'm pretty sure the issue is the firewall not sending the requests from WAN to the NGINX but I don't know what the issue is. opnsense is pretty much a fresh install, those two port forward rules are the only thing I've added and it automatically added the NAT firewall rules on WAN. The only rules on LAN are the default rules.
Thanks for the help!
-
Destination needs to be the WAN IP.... Here's one from mine using aliases, but the alias is the WAN IP.
(https://preview.ibb.co/kC6JdT/Capture.png)
-
I tried changing the rules, Let's Encrypt still can't access the NGINX server. Says likely firewall blocking.
I want port 80 coming in from the wan to forward to port 81 on 192.168.1.31.
Same for HTTPS, WAN:443->192.168.1.31:444
(https://i.imgur.com/luePPWI.png)
I must be missing something incredibly simple, I just can't figure it out. Thanks!
-
And I assume the associated firewall rules are there?
If they are, can you enable the logging, if not already on, and see what the logs say?
Just remembered, I use 1:1 NAT as I have multiple WAN IPs, I'll run up a test....
-
sorry for the long delay for my reply, I really appreciate your help. It turns out it was my ISP blocking everything on port 80 and 443. For anyone else reading this in the future: google to see if your ISP is blocking ports. If they are you have to use something else like 444....BUT I was using cloudflare DNS which by default doesn't allow HTTPS over a non standard port (https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-). You can easily fix this by using a port mentioned in that article like 8443 or shut off their proxying by clicking the yellow cloud in your DNS settings.
Note, I did have the incorrect NAT settings in OPNsense to begin with so thanks for helping me fix that. After that it was mostly a DNS issue, like it always is :)
Also for future readers, the live filter view on the firewall logs is much more useful if you use Boolean operators like | for OR. So if you want to see multiple IPs, do something like:
192.168.1.2|192.168.1.10|250.555.555.555, etc...
-
Glad you got it sorted, also glad I have a decent ISP!