Messages

I suppose thats true, its been a while since I set that part up.  But changing that group to default fixed it.

It's LAN address, not LAN interface. Sorry, my bad.

I'm not entirely sure how but I have that part working now.  But I am facing another issue.  I also want to use Unbound in conjunction with AGH.  I configured AGH private reverser to Unbound on port 53530, but I have no internet access.  According to AGH, when I test the upstream, it reports as working correctly.  I did not change anything in my Unbound setup as it was working fine before.  So I'm not sure what I am missing now with regard to not being able to have internet access.

The first two rules redirect all packets to the WAN_Failover gateway (group?) so you cannot communicate with the firewall locally.

Place a rule for TCP, destination "LAN interface", destination port "3000/HBCI" above all others. Without the gateway setting, of course.

EDIT: or add an inverted destination to your rules and replace destination "any" with !"This Firewall".

The WAN_Failover is a group as I have 2 gateways, which one serves as a backup.  However, I'm a bit confused about the destination.  I have a LAN net, and LAN address for destination but not LAN interface.  I tried LAN net, but no luck.  So I changed it to This Firewall and inverted as you suggested above all other rules, and still no luck.

This is what I have currently as I removed the rule for AGH not knowing for sure if the rule was relevant

I'm trying to get the AdGuardHome plugin working on my firewall.  I have installed the plugin via shell

Code Select Expand

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
I moved Unbound to port 5454.  My current DNS setup goes straight to CloudFlare (not sure if that's correct?).  The plugin installs, and I make sure that enable and use as primary DNS are checked in Services > AdGuardHome > General, but notice that the service showing as not started.  I have tried to start both via gui, and from shell.  Both appear to start without issue.  However, I cannot access the AdGuard webui via (ip:3000).  One thing I noticed is on the initial start the yaml file is not created.  Some searching seems to show how to create one manually which I did.

Code Select Expand

bind_host: 0.0.0.0
bind_port: 3000
users:
  - name: admin
    password: *****************
I checked to see if anything else is using port 3000:

Code Select Expand

sockstat -4 | grep 3000
root     AdGuardHom 14702 115 tcp46  *:3000   
I've tried uninstalling/reinstalling the plugin several times and no luck.  Another thing I tried was to create a LAN firewall rule for AGH for port 3000.  One weird thing I notice is that when I specify the destination port (other, 3000), when I apply the rule and recheck it, the destination port says HCBI instead.  I'm not sure if the rule is needed but tried it as part of my troubleshooting.

What am I missing?

I  figured it out.  There was an issue in the proxy.conf file.  Typically, if you follow the swag guide for ibracorp, you should be able to do everything by host name as long as everything is in the same custom docker network.  Even though it's true in my case, I have to modify the proxy_pass line in the conf file and use my unraid ip instead.  It works fine then.

I could do that.  But, if nginx is refusing the connection, wouldnt that mean that the port forwarding is working on at least some level?  If I am understanding correctly, it is reaching nginx.

Running 22.7.2.  I posted yesterday about an issue I was having with port forwarding.  Admittedly it was probably a bit non sensical.  So I am going to focus on one thing at a time.  I have been seeing that when you create a port forward under Firewall > Nat > Port Forwarding, that an associated filter rule has an option to be created.  This is true, correct?

What I am seeing seems confusing.  The only option when I create a port forward regarding a filter rule is "pass" and "none".  Currently it is set to "pass" but something does not seem right.  I am trying to port forward 80 and 443 to my webserver running nginx so I can reverse proxy.  Nginx sees the connection come in but refuses it, which is making me think something is wrong between OPNsense and downstream to the web server.

If a filter rule is set to pass, is there an additional rule created?  If so where is the rule?  I can't seem to find anything in the other firewall options.  Screenshots for reference:

https://imgur.com/a/7bJ4kPA

So after some more troubleshooting, I believe I have ruled everything out but the OPNsense downstream that you mentioned.  Now I just want to verify that I have the port forwards setup correctly... I have also verified that ports 80/443 are open from canyouseeme.org.

https://imgur.com/a/E2xEkse

Please don't mistake for what I am about to reply as hostility.  I realize now in my OP that I might have come across as a blithering idiot who has no business messing with these things.  I attempted to make that point with some humor but apparently failed miserably.

1 - read on the basics of networking. The OPN Documentation or any other firewall documentation is a good place to start. You want to know what is routing, switching, DNS resolution on/with firewalls, including reolving and routing public domains in your own infrastructure.

I already know the basics of networking.  I could be wrong but I don't think I would have come this far if I had not?

2. make a diagram that connects boxes that then you can identify ip addresses and ports for. Most firewall/network forums will more easily see where you might have a mistake. They tend to talk on that level. Currently nobody can see your setup's topology. Your posts will be likely to have more helpful responses when they a) have a "clear picture" what you have and could do, b) don't get put off by trying to tease bits of information out of you that they would rightly expect to be clearer from the start.

Granted I did not draw an actual diagram.  But, the sequence I posted in OP is not clear enough?  Can you explain this further please?

3. with that, you can then ask separate questions if required. ie. "I'm trying to route mydomain.cloudflare.com to my local server on the lan with ip 172.26.27.5 running Apache/nginx, my wan is on ipv4 dynamic, do I put my pass rule in the WAN or LAN interface?"

I thought that perhaps having everything in one thread would be more efficient.  Strike 2 for me...  Furthermore, how can one reasonably expect that someone who is still trying to learn to have every bit of information in a nice neat little package?

4. try to make your post more generic. What is swag? Don't assume OPN users are familiar with that or a piece of software/hardware you have in your mix.

I believe there have been other posts on SWAG here in the past.  So once again, I must have mistakenly assumed that perhaps at least SOME users would know what this is.  Surely I'm not the only person who has a similar enough scenario to be able to at least draw ideas from? 

It's basically nginx with added features for Unraid such as mods for docker (linux containers), auto configuration of apps based on preconfigured proxy confs (they provide a bunch of samples) which can be used in an Unraid environment.

At the core it might not matter.  Port forwarding from 80/443 on my WAN (AT&T Fiber Gateway) is somehow not working properly to reach my internal Unraid server.  I have already outlined the different options I've tried in the OPNsense firewall Port Forwarding.

The reason I am asking for help is that, based on the nginx error log, nginx IS, in fact, able to see that SOMETHING is incoming.  But it does not know what, and is refusing the connection.  The part I am not sure about is if it is an OPNsense thing or a SWAG thing.

On a more personal note, not everyone learns the same way.  So I apologize for my vagueness and inability to concisely convey what is going on.  I want to learn otherwise I would not have posted at all...

Again, I'm not trying to be hostile, but perhaps venting a bit at my situation. I feel like I am in some parallel universe where I understand everything but when I communicate it's gibberish.

I want to preface this by saying I realize there are multiple facets to my issue, but r/Unraid mods keep deleting this post for unknown reasons, so I thought I'd try here...

I'm usually pretty good at following guides to set up things I'd like to have/use. But, when something goes wrong, especially for networking, I'm apparently not yet good enough to troubleshoot it properly (but hey, I can plug and unplug an ethernet cable?), so here we are...  I am doing my best to document every step I have taken thus far, so apologies if it's incomplete.

Currently I am stuck with what appears to be a port forwarding situation on my OPNsense router with regard to SWAG. I get a 502 when trying to access the subdomain from either LAN or another WAN (Verizon Wireless from phone). I can hit the SWAG Welcome Page when trying to access the root domain from another WAN (also Verizon Wireless from phone) but not from LAN.  I am trying to figure out the correct sequence for OPNsense. 

What I've tried so far with OPNsense:

• Sequence: WAN interface ANY > WAN ADDRESS > TCP 80/443 > 18001/18443 > (Unraid IP)/32 (1 entry each)
• In other words, I have port forwarding rules for 80 and 443 from ANY, to WAN address, then forward as ports 18443 and 18001 respectively to the Unraid server with a /32 CIDR.
• Enabling or disabling NAT Reflection (hairpin NAT?).
• Filter rule association set to PASS
• For NAT Outbound, I have it set to hybrid due to having rules for my gaming consoles/upnp.

What I've tried so far for Cloudflare:

• Turning proxy on/off for the domain/subdomains. 
  Purging the site cache.
  
• Changing SSL/TLS encryption modes (Full and Full Strict)

What I have done with SWAG:

• Consulted with linuxserver.io SWAG page under troubleshooting 502 errors: port unchanged except for upstream_port and upstream_app to match guacamole container (see conf below)
• Recreated relevent conf parameters in the ApacheGuacamole Docker template (added labels for swag=enable, swag_port and swag_url)

My guacamole.subdomain.conf:

Code Select Expand

## Version 2021/05/18
# make sure that your dns has a cname set for guacamole and that your guacamole container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name guaca.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app ApacheGuacamole;
        set $upstream_port 7575;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_buffering off;
    }
}

The nginx error log says this:

Code Select Expand

[error] 8002#8002: *6 connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xx.xx.xxx, server: guaca.*, request: "GET / HTTP/2.0", upstream: "http://172.18.0.2:7575/", host: "guaca.xxxxxx.io"

Where client is my WAN IP, guaca.* is my subdomain (with CNAME pointed to @), 172. address is the custom docker network.  If the problem lies within SWAG, I'm not sure what is not correct as there are no errors in the logs.  If it is within OPNsense, I'm also not sure about that as it looks correct to me.

Any other combination of port forwards (i.e. reversing the ports, doing 443/80 for everything, etc) gets a 522. I know something is not right, but I am not experienced enough to determine what.  I wish I knew what to do next... hopefully someday I will lol...

On the Pace, the device is detected automatically and gives you a list of devices to choose from (if more than one is connected to the gateway.  I'll give the switch mac a shot.

UPDATE:

Providing the switch MAC for the Pace to use, things seem fine at first.  It reports back with my public IP.  If I leave out the switch MAC on the WAN interface, it picks up an internal IP from the Pace but on a different subnet (Pace default is 172.16.0.x, WAN interface gets 172.16.1.x address).  If I provide the switch MAC to WAN, I am back at square one with the interface bouncing up and down 8 times, ending with down.  This is slightly different than if I were to set everything to the Pace MAC.  In that case it bounces up and down forever.  If I choose OPNSense in Pace, but leave the switch MAC on WAN interface, nothing happens.

To make things even more strange, the option to use the switch for IP passthrough has mysteriously disappeared, leaving only the OPNsense to choose from (aside from my desktop PC, which I need to connect to that switch to make changes on the Pace).

I have a partial workaround using a second switch between the Pace gateway and the HUNSN appliance.  This gets me up and going and can get a public IP from AT&T.  But, in my previous setup, I needed to clone the MAC address of the AT&T gateway in order to get out to the internet.

But with the HUNSN and OPNsense, when I put the MAC address into the WAN interface settings it just constantly goes up and down in an endless loop.  Not sure what else I need to at this point?

Yes I was looking at that as well.  The 320 seems to only be issued for new customers/installations.  I think I might have a workaround by placing a second switch between the appliance and gateway.

Hmmm. That's one thing that I didnt think to check.  I was hyper focused on the HUNSN device itself.  Getting a different gateway would be a crapshoot at best.  I could specifically ask for one and could get verbal confirmation but ultimately it does not mean anything as there is no actual way to control what would be shipped.