Creating a rule to allow LetsEncrypt Acme challenge

[HankM]

I need to whitelist Let's Encrypt Certbot's Acme Challenge through.

With my limited knowledge, I created this firewall WAN rule:

Action - Pass
Interface - WAN
Direction - In
TCP Version - IPV4
Protocol - TCP
Source - any
Destination - Single Host - 72.xx.xxx.xxx The public IP of the mail server /32
Destination Port Range 80 to 443 (or do I need one rule for each?)
Gateway - ?? Default (or should it be) My internal or Wan-ppoe?

I left it at default.

I moved the rule to the top of my list of blocked IP addresses (Country Block), but it doesn't work.

The people at Let's Encrypt tell me that I've managed to block some of the AcmeChallenge servers, and I had hoped that this would fix it.

What have I done wrong?

[Saarbremer]

Hi,

you can debug this yourself. First make you rule a little bit more maintenance friendly:

Create two aliases: One for your server's IP address and one for the two ports 80 and 443. Then rewrite your rule with those aliases, enable logging, and perform a state reset of the firewall.

Then check in the firewall live log what is blocked during ACME challenge and response. You should see traffic coming in towards your server on 80 or 443 which is probably blocked. If it passes, you may have something else going on than firewall blocks.

Regarding the rule: Don't define a gateway unless you need policy based routing