Port 80 not forwarding

Elmojo

@johnpoz Cool, thanks for sharing that!
I'm getting there.
Still fuzzy on how to cap the packets on the LAN, I can't seem to get it to work.
When I set up the capture, I choose LAN, then what IP? Still external IP or the internal IP that the ports are forwarded to?
Then port 80, then start....
I've tried with both internal and external IP. Neither one gives any packet output.
I know I'm doing something simple wrong.

johnpoz

@elmojo said in Port 80 not forwarding:

Still external IP or the internal IP that the ports are forwarded to?
Then port 80, then start....

Again why would you think it would be 80? And what external IP - not yours.. It would be the IP of can you see me.

To sniff for the traffic going to your lan device. 192.168.11.108 is where your port forwarding - use that IP in your sniff, and the port would be 1880. That is the port you setup in your port forward from you screenpic

Your sending traffic that hits your wan on port 80, to that 11.108 address on port 1880. Is that what you want, or do you want reverse 1880 on your wan and send 80 to 11.108?

Elmojo

@johnpoz said in Port 80 not forwarding:

And what external IP - not yours.. It would be the IP of can you see me.

Umm... okay I was with you until right then. For all these other port tests we've done, they've always been tested against my public IP. In fact, when I go to canyouseeme, it fills in my public IP and I can't even change it.

In any case, the brain cells finally clicked and I see it working!
I sniffed the LAN, and I can see incoming traffic on 1880, so I know the forward is working.
Oh man, thanks so much!
I still have a long way to go to get my reserve proxy working, but at least this first small hurdle is jumped. :)

Speaking of, which package do you suggest? I'm looking at Nginix Proxy Manager right now, but I'm open to suggestions.
All I want to do is to be able to host my simple landing web site myself, rather than pay for a monthly hosting fee for literally 1 page.
I'm sure you've been through all this and can save me some (additional) headaches. ;)

Again, thanks so much for your patience in beating this knowledge into my head.

johnpoz

@elmojo when you sniff on the LAN you will not be seeing your wan IP.. You would see the public IP of who is sending the traffic, and the IP you forwarded too.

Only on your wan would you see traffic to your wan IP, once you forwarded it the source would be the external, and dest (your lan IP you sent to) your wan would not be there to see.

So to filter traffic on your lan, and you want to use an IP, you can either use the source IP of the traffic - the can you see me IP, or your destination lan IP your sending it to.

edit: As to what reverse proxy? I just run haproxy on pfsense, I use it to send to a couple of sites behind pfsense based on the host info they send. Also allows for easy use of acme certs for ssl offloading.. The app I run doesn't really make it easy to do ssl on its own.

edit2: reminds me should prob redo that config, I am no longer running the one site, I switched from ombi to overseerr, and I was running both for a while as I tested overseerr - but it won, and now ombi is shutdown. I like the ssl offload feature, and I like how I can limit based on host header info sent.. So bots just searching 443, don't get anything - unless they send the valid fqdn.. I also run openvpn instance on 443 tcp, when I am might be at a place that blocks 1194 udp. And can do both with port share in openvpn and haproxy its pretty simple setup.

Elmojo

@johnpoz Ah, I see the confusion now.
I meant when I was setting up the packet capture. I was asking what host address I needed to input. Sorry I wasn't clear. Turns out the answer is none, unlike in previous steps, where we were specifying my external IP.
I'm sure that's all second nature to you, but it's baffling to me when it's not spelled out. lol

Any thoughts on the web self-hosting question?

johnpoz

@elmojo see my edit.. I use haproxy.

The services I run are all in just dockers on my nas, I use haproxy on pfsense to send traffic to the right place. This way can all use 443 externally.

Elmojo

@johnpoz That sounds a bit beyond me. I'll probably just stick with the noob-friendly stuff that has lots of youtube tutorials and handholding guides. lol

Thanks again for your help!
At least I know how to forward whatever ports I need open now.
Next on my list is some sort of remote access for one of my client's Netgate machines via either Wireguard or OpenVPN, but that's another kettle of fish entirely. ;)

johnpoz

@elmojo openvpn is simple and straight forward. I do believe at some point wireguard will give it a run for its money. Especially if they come up with the QR code to just scan ;)

There was a bit issue, of whats the term to use - quagmire prob works ;)

It was in, and then it was pulled, and some social media craziness, etc. Now there is a package again listed..

I'm a fan of openvpn. Its rock solid, used it for years and years.. It can do tcp for your tunnel, which I do not believe WG supports.. While tcp is not optimal for the vpn, it can come in quite handy when the UDP port is blocked - its a given that 443 is almost always open ;) And you can connect via proxy even.. So when your say at the office, and they run a proxy, and you want to vpn into your home network ;) Use to do that daily before covid and now just full time work from home.

Elmojo

@johnpoz That's good info, thanks.
I'll probably stick with OpenVPN, since it seems to be a bit more robust and mature.

Elmojo

Okay, this is giving me a headache. I thought we had it all sorted out. I was able to forward ports, and checking them against the canyouseeme site was reporting them as open.
However, as of today, they are suddenly closed again?!
I was attempting to forward a different set of ports, for another container.
Once I realized it wasn't working, I set everything back to the way it was, but even the original rules aren't working now. What gives?
Here are my NAT and WAN rules screens. See anything I broke that could be accounting for this behavior?

I can sniff the traffic on the WAN and see it hitting the wall, but canyouseeme reports an immediate "connection refused". Ports that aren't forwarded tend to time out after about 10 secs, so I know it's doing something, just not what I've asked it to do.
I'm too old for this... lol

johnpoz

@elmojo just out of curiosity why would you forward 1194 to the wan? Openvpn is listening on that - there is no need to forward it.

So when you sniff on the wan do you see a R go back?

Your forward for 80 is showing an active state that /1/1 there - so did your server refuse it?

https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

Elmojo

@johnpoz
The 1194 forward is part of the OpenVPN wizard setup. I don't believe I did it manually.
I don't see any explicit blocks in the main log, but when I sniff the WAN I see it hit from outside, and a response go back from my side. It doesn't say what sort of reply it is, only that it's on some random port. Looks like this... (this is 2 attempts)

23:42:49.722015 IP 52.202.215.126.36854 > 174.xx.xxx.184.80: tcp 0
23:42:49.722035 IP 174.xx.xxx.184.80 > 52.202.215.126.36854: tcp 0
23:42:51.138779 IP 52.202.215.126.36860 > 174.xx.xxx.184.80: tcp 0
23:42:51.138801 IP 174.xx.xxx.184.80 > 52.202.215.126.36860: tcp 0

johnpoz

@elmojo said in Port 80 not forwarding:

The 1194 forward is part of the OpenVPN wizard setup.

No it isn't.. You had to have done that manually. It makes zero sense.. The wizard will make your wan rule for you, but it would not do a port forward.

23:42:49.722035 IP 174.xx.xxx.184.80 > 52.202.215.126.36854: tcp 0

Your server you forwarded too sent a RST! Telling them to go away..

If you would up the verbosity of the sniff, you would see it was RST..

When you do that test do it on the lan side your sniff, and you will see your server sending it back.. Unless you had setup a specific reject rule pfsense wouldn't send a RST.

Did you put a specific rule in your floating tab?

Elmojo

@johnpoz
Beats me, I set it up a while back, and I'm not even using it right now. Ignore it for the current conversation. I can delete the rule if you think it may be having an impact?
There are no floating rules.
Nothing has changed from when you helped me the other day. I literally have had no time to work on it any more. I just sat down this evening to try to get SWAG set up, and it needed a different set of ports forwarded. I plugged in those forwards, noticed they weren't working, removed the entries, and here were are. Dunno man, it's baffling.
I'll have to tackle it more tomorrow, if you're available. It's nearly midnight and I'm beat. :)

Well son of a.... I think I just figured it out!
I distinctly recall you telling me before that I didn't need any service running on the server (LAN) side in order to check if the ports were open, so I hadn't bothered spinning up the container until I got that sorted out. However, I just went back, turned off SWAG, and fired up NginxProxyManager. This was really just to make sure I hadn't broken anything on the server side. I clicked the port test button, and wouldn't you know, they're testing as open now!
I guess not having anything running on the server to "accept" the request, for lack of a better term, it was rejecting the packets. Man, I wish I had tried this 2 hours ago. :/
At least I can get some sleep now. lol

johnpoz

@elmojo You don't need to have anything listening if your going to sniff to see if the traffic gets to psfense..

Bob.Dig

I can't open port 443 and I don't know why, but I have another router in front of pfSense, so it is hard to tell, which device is responsible for that... but pfSense is the exposed host of that first router.

johnpoz

@bob-dig said in Port 80 not forwarding:

but pfSense is the exposed host of that first router.

If pfsense does not see traffic get to it on 443 (when you sniff on pfsens), then "something" upstream didn't allow it, be it that router in front of pfsense (likely suspect) or your ISP. etc..

Bob.Dig

@johnpoz The Problem for me, the ISP is not known for doing that and also the router is not. I can see which port the router has opened to WAN and there is no 443. Do you have any tip for seeing it in pfSense?
What I did after noticing this problem was placing a reject tcp 443 floating WAN in on top and logging and doing a port test on a website, still port is stealth and no log entry...
Also sorry, I have not read this whole thread.

johnpoz

@bob-dig said in Port 80 not forwarding:

still port is stealth and no log entry..

Then it didn't get to pfsense.. Pfsense has zero control over what gets to it or not.. It can not do anything with traffic it never sees, be that ignore it, or forward it or reject it.

If you sniff on pfsense when you do a test from can you see me .org for example - and you don't see it, then it didn't get to pfsense. Something upstream prevented it, or your sending to the wrong IP..

You could be standing at the plate, all ready to hit that homerun. If the pitcher never throws you the ball.. Nothing you can do about it.

Bob.Dig

@johnpoz I don't know about American Football ;) but I was able to open the web-ui of that router to the public, so it is not an ISP thing. So I guess the router firmware is faulty, I will report to them. Still, this problem seems to "big" that nobody has found it so far... thx John.