Can I assign a specific WAN IP for Caddy to listen on?

Started by fbeye, December 11, 2024, 05:51:50 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
December 11, 2024, 05:51:50 PM
Hello

So I have a block of 6 usable static IP's. My Opmsense FW has the default of x.x.x.182 as the main FW Ip/Gateway. This ip does not have a domain registered to it.
I have x.x.x.181 has a domain I purchased with it and also happens to host the inside devices caddy is using... right now I have it coming in on .182 and port forward to the correct lan and had to create a duckdns for that.. I wanna use my domain instead, but it is not the default wan ip.

Is this an option?
December 12, 2024, 07:58:43 PM #1
Bump
December 12, 2024, 08:12:04 PM #2
I do not understand the question.

You can not bind to a specific interface. You could change the default HTTP and HTTPS ports of Caddy and use port forward 80/443 from one of your IPs to these ports, e.g. 127.0.0.1:8080, 127.0.0.1:8443.
Hardware:
DEC740
December 12, 2024, 08:21:43 PM #3
Hello

Yeah I may just not be good to explain. Through my ISP I have a Block of 8 IP's, 6 Usable. By default whatever is PPoE is the x.x.x.182 IP and then I can assign x.x.x.177 - x.x.x.181 to other applications, but the OPNSense default WAN is x.x.x.182.
I do not have a domain registered to .182, but I do on x.x.x.181 (which also NAT's to the 192.168.2.0 Network where all my docker containers and servers reside ).
With caddy set up if I use domain.org (which is x.x.x.181) it does not route, as caddy is of course looking at the default WAN IP x.x.x.182. Is there a way for Caddy to reverse proxy let's say qbittorrent.domain.org which is x.x.x.181 instead of having to make a duckdns entry that I do not want simply to use the WAN IP x.x.x.182.
December 12, 2024, 08:26:17 PM #4
Just add x.x.x.181 as an alias IP to your WAN interface and Caddy will listen to that, too.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 12, 2024, 08:55:19 PM #5
Assuming you meant under Interface:Settings:Virtual IP's, there is an entry;
x.x.x.181/32       WAN   IP Alias       

Unless you meant Firewall:Aliases then I do not see any reference to assostiaing an ip to a WAN Interface.
December 12, 2024, 09:24:28 PM #6
Exactly. Caddy will listen to that address. Of course you need a firewall rule on WAN, e.g.

Source: any
Destination: x.x.x.181
Destination ports: 80, 443 (create an alias for more than one port in a single rule)
Protocol: TCP
Action: allow

Done.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 12, 2024, 09:58:01 PM #7
Alright so I did what I feel you mentioned to do, assuming the x.x.x.181 was the WAN IP. Does not work, I just can not imagine what I am clearly not seeing
December 12, 2024, 10:09:17 PM #8 Last Edit: December 13, 2024, 07:58:54 AM by Patrick M. Hausen
Did you move your web UI to a different port than 443 and disable the HTTP --> HTTPS redirection?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 13, 2024, 02:36:21 AM #9
Yes, currently everything works WHEN I use a calibreweb.domain.duckdns.org (which uses .182 IP which I do not want) so it WORKS, but just not with the .181 domain.org I own.. I THINK I found the problem. If I recall, a certificate needs to be made [from] the IP in question? So if .182 is initializing the certificate for .181, it won't work? OR AM I WRONG?

Either way here is the error

 "error","ts":"2024-12-11T18:07:00Z","logger":"tls","msg":"job failed","error":"calibreweb.domain.net: obtaining certificate: [calibreweb.domain.net] Obtain: [calibreweb.domain.net] solving challenges: [calibreweb.domain.net] context canceled (order=https://acme.zerossl.com/v2/DV90/order/Up4Tbor5ngGsgamcVeSztQ) (ca=https://acme.zerossl.com/v2/DV90)"}

Sorry I said qbittorrent earlier, I meant calibreweb.
December 13, 2024, 06:20:57 PM #10
I guess I am gonna purchase a domain for my main wan ip and see if it works, if it does then it is definitely something not obtaining a cert for the correct wan ip. I planned on buying a domain anyway so it's not terribly out of the way . Now I just I just gotta get creative .
December 14, 2024, 05:23:41 AM #11
Bud, you need to understand something about the interbewz ( no offence to you, it's not knowledge everybody learns in school ):
unless you have some specific interface with given IP address, your operating system (router, and by that extention - caddy) will not listen to it.

So let's work through your scenario:
You were given a range of 6 IP addresses
by default, when your router connects, it needs an IP, but it will only use ONE IP address, because you know, you might want to use the others somewhere else.
Your DNS traffic points towards the IP that your router does not have assigned to the interface, so it ignores it because it's possibly for different machine.
If you had some routing that pushed this traffic to your LAN, you could have a separate server in so called DMZ zone, which would consume one of the additional IP addresses and everything for given IP would be forwarded to it (yes I know there are other setups possible, but I'm using this for illustration).

This is why somebody is suggesting here to you to give WAN another IP address (an alias). Then your router will also "catch" this traffic because .... you know it's for the router, right ? router has this IP so it should receive it !

Now, if you set this up. Great, but what people tend to miss is that by default ALL routers will just reject all the traffic from the evil internet. So you need to setup a firewall rule to allow traffic to port 80 & 443. Now you also need to allow this traffic going to your "alias IP", not only to your WAN default IP address.
December 14, 2024, 06:45:45 AM #12
Then I guess I am just missing it. Currently I do have it as you said, NGINX on a LAN IP and I just port forward and it works fine. I understand the dynamics are changing because now I am using Caddy on the interface itself.
I understand what you say about all being rejected, makes sense as the routers main purpose, to block.

What I am struggling to understand is.
I HAVE an IP Alias (under virtual IPs) that is assigned to the WAN.
I have 80,443 access from "any source" to "This Firewall". I guess I am not getting how to differentiate or add or specify ALSO 443,80 for WAN IP x.x.x.181 to communicate with "This Fireall" to use Caddy. I made the rule that was mentioned, source any, destination (x.x.x.181) port 443,80 and being it is a WAN IP, with an alias, Caddy would recognize it. It does not? I am also addicting due to something "I" am doing wrong.
From my perspective I am being told (advised) to do the is and this and this and this, an I am, and it is not working. Again, I totally claim that it is my lack of understanding. I'm not trying to do "big boy" things when I am a nice amateur but this all started simple and escalated to apparently "advanced" stuff so I'm trying to understand and follow.
I am being told 1+1 is 2 and my fng calculator is spitting out 3.
December 14, 2024, 12:01:27 PM #13
Quote from: fbeye on December 14, 2024, 06:45:45 AMI HAVE an IP Alias (under virtual IPs) that is assigned to the WAN.

Please show a screen shot of the configuration of that alias.

Quote from: fbeye on December 14, 2024, 06:45:45 AMI have 80,443 access from "any source" to "This Firewall".

Please change that to "WAN address", which (admittedly a bit unintuitively) refers to all addresses on the WAN interface including aliases.

Then please show a screen shot of that rule.

Quote from: fbeye on December 14, 2024, 06:45:45 AMI guess I am not getting how to differentiate or add or specify ALSO 443,80 for WAN IP x.x.x.181 to communicate with "This Fireall" to use Caddy. I made the rule that was mentioned, source any, destination (x.x.x.181) port 443,80 and being it is a WAN IP, with an alias, Caddy would recognize it.

It should. Please add the output of these commands (obfuscate the WAN addresses):

Code Select
ifconfig
netstat -na | grep LISTEN

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 14, 2024, 05:14:58 PM #14
Hello

Quotevtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=1800a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,NETMAP>
        ether 52:54:00:fa:26:61
        inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.2.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=800a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether 52:54:00:72:55:b4
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0 metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33152
        options=0
        groups: pflog
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN (wan)
        options=0
        inet 207.108.121.182 --> 75.160.240.27 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@OPNsense:~ # netstat -na | grep LISTEN
tcp46      0      0 *.80                   *.*                    LISTEN     
tcp46      0      0 *.443                  *.*                    LISTEN     
tcp4       0      0 127.0.0.1.6060         *.*                    LISTEN     
tcp4       0      0 127.0.0.1.8080         *.*                    LISTEN     
tcp6       0      0 *.8081                 *.*                    LISTEN     
tcp4       0      0 *.8081                 *.*                    LISTEN     
tcp4       0      0 127.0.0.1.8125         *.*                    LISTEN     
tcp6       0      0 ::1.8125               *.*                    LISTEN     
tcp4       0      0 172.16.2.1.19999       *.*                    LISTEN     
tcp4       0      0 127.0.0.1.43580        *.*                    LISTEN     
tcp46      0      0 *.53                   *.*                    LISTEN     
tcp4       0      0 127.0.0.1.27017        *.*                    LISTEN     
tcp4       0      0 172.16.2.1.3000        *.*                    LISTEN     
tcp4       0      0 127.0.0.1.953          *.*                    LISTEN     
tcp4       0      0 *.5353                 *.*                    LISTEN     
tcp4       0      0 *.5353                 *.*                    LISTEN     
tcp4       0      0 *.5353                 *.*                    LISTEN     
tcp4       0      0 *.5353                 *.*                    LISTEN     
tcp4       0      0 *.22                   *.*                    LISTEN     
tcp6       0      0 *.22                   *.*                    LISTEN     
root@OPNsense:~ #



And then I changed the rule to WAN address,  it this firewall.

And here is snapshot;

Print
Go Up Pages1 2
User actions