Trouble actually hitting the correct applet from external connection
-
@johnpoz thanks for pointing out the FQDN being (doing this with a 2 year old being a 2 year old and a screaming 7 month old next to me :) )
and no worries about reading it all, ill post my firewall in just a minute (need to take screen shots).
And, how do i make sure im allowing 80 and 443 to hit my HAProxy?
as for ISP blocks, im on Commiecast, i dont think they block any ports but, i do not see any traffic on those ports (to be fair, i dont see much traffic on any ports... but, im REALLY REALLY new at this so, i may not be looking at the right place)
-
-
@menethoran lot of rules that don't make a lot of sense.
WAN net as a source isn't going to work, that isn't the internet - that is just your wan net.. Do you have lots of clients on your wan net? is 192.168.2.2 coming in from your wan? But then you also have it listed as destination?
Looks like a mess to be honest, bunch of useless rules..
So your allowing 443 to 192.168.2.2, where is the rule on your wan that lets the internet hit your frontend port of haproxy? Which would be 443 or 80 and 443, etc.
And your iot rules - how is wan net a source? I think you have a basic lack of understanding how rules are evaluated.
Rules are evaluated as traffic enters an interface from the network that interface is attached to.. How would an IP from whatever your wan net is be source of traffic from your iot network into the iot interface?
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
Wan net is NOT internet, its just the network your wan is attached too.. so like 1.2.3.0/24 or whatever your IP is on your wan and the mask...
-
@johnpoz a bunch of useless rules sounds accurate :)
Again, VERY new at this... im trying to get it to work, will worry about housekeeping if it becomes a problem or when i get the things i need working to work (a lot of the rules were/are attempts to get something to work... and then left there til i can figure out if they are needed or not.)Ill get there :)
so, source should be what? if its coming from the internet and i need it to go to the LAN (and no, nothing is really hosted on WAN. PfSense is new to me, so im trying to unlearn old habits from setting up much less technical routing situations)
-
@menethoran I also do know (now) that rules are evaluated top down (i actually thought, for a while, it was opposite of that).
And i have the understanding of coming from something like DD-WRT, functionally similar with a lot of the technical portions stripped out... and now im learning this. And i recognize that i have a LONG way to go)
gotta fail to learn... gotta learn to do it.
-
@menethoran What I would do - and happy to help is git rid of all those rules.. Start with a clean slate..
So you need rules to your plex (I have the same) and you need rules to allow access to your ombi.. Do you have any other services you need to allow from wan? If not those are the only 2 rules you should have. Plex rule would be auto added when you create your nat.
Use of HAproxy is different.. It normally would be listening on your wan interface, on the port you want it to proxy.. So 80 and 443.. So create rules that allow that.. Then those are the only 2 rules you would have on your wan.
All of those rules on iot don't make any sense either.. Just leave the any any rule at the end, and we can setup whatever rules you want.. Again happy to help. Just say what you want to do wand we can go over how you would do that. But all those rules on your iot to wan net make no sense at all.
-
@johnpoz ive got more services than ombi and plex. but im not too much worried about those right now, if i can stumble through those, i can probably figure out the rest on my own.
As for the firewall rules/NAT, i created the firewall rules before creating the NAT (took forever to figure out that i needed the NAT 1:1 to get plex working correctly outside of the network...
-
@menethoran said in Trouble actually hitting the correct applet from external connection:
i needed the NAT 1:1 to get plex working correctly outside of the network...
You do not need any such thing.. A simple normal port forward to 32400 is all that is needed.
When you create a port forward, by default it would auto create the firewall rule for you - unless you told it not too. You just need to make sure the placement of the rule is correct on the wan if you have any rules on the wan that would block it, etc.
-
@johnpoz i tried the simple port forward. I think its because i have plex as an applet (KVM) on TrueNAS Scale (Im used to TrueNAS core, but moved away from that when i moved with the PfSense over Unifi (VERY glad i did) but still need to learn a lot.)
And, i may not have needed the NAT rule, but whatever it did (i assume the firewall creation rule the way it made it) worked to gain access outside the network for Plex (before that, it would work for about 3 minutes then disable the outside connection (it was never long enough for me to actually test).
Anyway, i "commented out" (not sure the PfSense term for disabling a firewall rule) anything not needed (anything with a 0 next to traffic)
-
Still no joy (feel free to check on your end as you know the domain to go to (cloud.domain.com is also setup and doesnt work, just leads to the login page for TrueNAS )
-
@menethoran where is your frontend setup? for haproxy, and did you remove pfsense from listening on 80 and 443?
You have to setup the front end to match up to your backend that sends to port..
I hit your fqdn now on 80 I just hit truenas.
btw your rules should be wan address for destination.
If I hit your ombi fqdn on https: It tries to send me to 192.168.2.2:9001 So your ha proxy is clearly not setup correctly. But that looks more like a redirection vs proxy... Lets see your port forward setup..
-
@johnpoz i think thats because i have all https requests going to nextcloud (on 9001)...
-
@menethoran and again useless rules. How would the source port be 443? that would never be the case.
And how would the dest be 192.168.2.2 and natted to 192.168.2.2 to 3579, remove that rule as well.
Lets see your frontend of haproxy setup.
-
@johnpoz when you ask "did you remove pfsense from listening on port 80 and 443" do you mean, did i change the port used to access the pfsense gui? if so, yes. (is that problematic?)
-
@menethoran well if pfsense listening on 80, and your trying to use haproxy on 80, then yeah kind of a problem ;)
Make sure you remove the 80 redirect that pfsense gui uses.
-
@johnpoz so... ok, bigger problem (im assuming temporary).
I locked myself out of PfSense. I change my webgui port to 10080 without realizing that its "a dangerous port" (was just an easy quick port to set up that stopped it from using 80)...
what do i do?
-
@menethoran what do you mean dangous port?
You can just change it back to 80 on the console..
Why not just set pfsense to https only?
-
-
-
@johnpoz fixed... Effing Chrome.
well, now knowing THAT, im gonna keep it that way :)
