Local IP get blocked by Caddy on domain with Access list

Started by verlenord, April 23, 2025, 11:20:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 23, 2025, 11:20:01 AM
Hello

I need your help :-)
First, I'd like to point out that I'm a beginner and that I was able to set up my setup thanks to the various tutorials on the internet. Please forgive me for using terms that may be incorrect or imprecise when defining certain things. I'm a fast learner, but I still have a lot of gaps ...

I have installed and configured Caddy as described in the documentation, and it works perfectly well in general.

However, for some time now, I've been having problems with certain domains that I've configured to be accessible only by local ip's (Access list). At first, everything worked fine, then, after a while, ~1 month, I couldn't access them, as my ip address was no longer considered local. My laptop is configured with a fixed ip and when I change it, I can access the protected url again. This problem also arises with vpn ip addresses.

I have Crowdsec, Suricat and Zenarmor installed and configured on the router. My first thought was that somehow my ip was banned somewhere, but I couldn't find any trace in the aliases. I've also deactivated all 3 without success.

When I come back to an old fixed ip after some times, it works again and for a while, before being blocked again. I confess I don't know where to look.

Here's my access list setting:

192.168.10.0/24
10.10.10.0/24
192.168.0.0/24
192.168.30.0/24
192.168.20.0/24

Any help would be very much appreciated
Thanks
April 23, 2025, 11:24:57 AM #1
And your laptop's blocked IP address is exactly?

Any possibility your laptop is using IPv6 to access the service in question?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 23, 2025, 11:58:33 AM #2
My laptop IP is 192.168.20.45

Regarding IPv6, I have to admit that I'm really not comfortable with it. I haven't really looked into how it works.

I do have an IPv6 address, here's the info I get :

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
   ether 52:50:98:ef:ab:ad
   inet 192.168.20.45 netmask 0xffffff00 broadcast 192.168.20.255
   inet6 fe80::8ce:8fce:921c:14b0%en0 prefixlen 64 secured scopeid 0xe
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active

April 26, 2025, 10:44:57 AM #3
The problem occurred again last night and I had to change my IP to regain access.

I'm interested in any tips you can think of 🙏
April 26, 2025, 01:19:32 PM #4
Quote from: verlenord on April 23, 2025, 11:58:33 AMRegarding IPv6, I have to admit that I'm really not comfortable with it. I haven't really looked into how it works.

I do have an IPv6 address, here's the info I get :

So just disable IPv6 on the laptop for troubleshooting to ensure, it's not that.
April 26, 2025, 01:40:06 PM #5
The laptop has only a link-local address so IPv6 is most probably not the cause.

I'd bring the big gun and use tcpdump when the problem is present.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 26, 2025, 06:50:59 PM #6
I'm ready for the big gun ! However, I'm not sure what settings to use to get a relevant result.

For the moment, I've tested the blocked IP 192.168.20.45 on port 443.
I've also tested a local IP that works, 192.168.20.65 on port 443.

The only difference I can interpret in the results is that on the blocked IP the response comes from my public IP, whereas on the working IP it comes from the firewall (192.168.0.1).

I'm going to sound like a total beginner, but I don't know how best to share the tcpdump results with you and what potentially sensitive information needs to be masked...
Print
Go Up Pages1
User actions