Messages

So unbound is not doing any blocking.  POrt 80 is going now after a reboot BUT its getting a routing issue....(yes i did reboot prior not sure why it working, i'll follow up on a new post on how to move things over like certs, vpn, dhcp, Making rules would be simple as I only have one.)

Basically running tcpdump I see the following..it does look like a routing issue.  My external machine (its an IP from a DC I have access too for testing) can access my home network but it looks like route 80 just won't route.

verbose output suppressed, use -v[v]... for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:38:14.198359 IP 143.48.108.26.29113 > 192.168.3.95.80: Flags , seq 2689577625, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:14.198434 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:14.462209 IP 143.48.108.26.29114 > 192.168.3.95.80: Flags , seq 4238710311, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:14.462284 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:15.204841 IP 143.48.108.26.29113 > 192.168.3.95.80: Flags , seq 2689577625, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:15.204902 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:15.477258 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:15.488090 IP 143.48.108.26.29114 > 192.168.3.95.80: Flags , seq 4238710311, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:15.488149 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:16.213146 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:17.211607 IP 143.48.108.26.29113 > 192.168.3.95.80: Flags , seq 2689577625, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:17.211667 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:17.474140 IP 143.48.108.26.29114 > 192.168.3.95.80: Flags , seq 4238710311, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:17.474199 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:19.221166 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:19.477187 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:21.225833 IP 143.48.108.26.29113 > 192.168.3.95.80: Flags , seq 2689577625, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:21.225892 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:21.485856 IP 143.48.108.26.29114 > 192.168.3.95.80: Flags , seq 4238710311, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:21.485913 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:25.365192 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:25.621240 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:29.229334 IP 143.48.108.26.29113 > 192.168.3.95.80: Flags , seq 2689577625, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:29.229413 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:29.493298 IP 143.48.108.26.29114 > 192.168.3.95.80: Flags , seq 4238710311, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:38:29.493379 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:37.397362 IP 192.168.3.95.80 > 143.48.108.26.29113: Flags [S.], seq 347498467, ack 2689577626, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:38:37.653298 IP 192.168.3.95.80 > 143.48.108.26.29114: Flags [S.], seq 1577311852, ack 4238710312, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

Pastebnin info for the above...
https://pastebin.com/sA0jgzBu

So new update. Using IP to a new server still fails BUT i did turn on packet tracing and see the packets and see an error [TCP Retransmission]  Opening up the packet I see "This Frame is a (suspected) retransmission"
I see in the log TCP Retransmission 80 -> 21796 or 21796
I suspected it might be my job's firewall so I tried at my parents and brother who are using DD-wrt and a stock asus.  They also get this error.
https://imgur.com/a/9uPyZJB

I tried and it still isnt working.  I tried firewall1 (hostname is opnsense) and firewall1.mydomain.com
DId you have to create the dns records for the alternate name?  If so was it internal and/or external.

I just put up traefik in front of my opnense.  Had the same issue.  I had to add the Alternate host name I was using under System: Settings:Administration.

Dumb question....what do I fill it in with?  The docs show an up address so I put in the IP of my firewall.  But it mentions 2 IPs?  What did you put in to get this to work?

please check your settings in System | Settings | Administration.
You probably need to disable the web GUI redirect rule and use a custom port for it. Check the help tips.

Disable web GUI redirect rule has a check mark next to it
GUI is listening on https on port 4433

Still cannot foward properly

For shits and giggles...I put my original router and reconfigured it to foward ports 80 and 443.  It works as expected so I can confirm it is opnsense acting funny.

Opnsense seems to be blocking port 80 preventing me from using my nginx proxy manager.
Just so its out of the way

• Created Port Foward Rules for 443 and cloned for 80
• Port 443 Works but port 80 does not
• ISP COnfirms its open
• Live view shows my connection going to my container over port 80
• Turned off proxy and redirected to test server running apache (Fresh isntall).  http works internally as expected
• Externally I cannot get to it
• Running nc -l 80 (after turning off apache) I can't see any connection
• Created new rule for port 6969 can confirm I am connecting to server using nc -l 6969
• Running nc -l 80 (after turning off apache) I can't see any connection
• Running nc -l 80 (after turning off apache) I can't see any connection
• Settings - Administration (Checked in Disable web gui redirect rule)
• Firewall - Settings - Advanced (Checked in Disable administration anti-lockout rule

I am running    OPNsense 23.7.1_3-amd64
At this point I have not other idea what to do.  My main goal is to foward 80 and 443 to my nginx proxy manager and get my auto renewal for ssl certs working.  I know the firewall is the culprint since putting back my dd-wrt modem fixes everything.  I"m at a lost to what is happening.