Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access Liquidsoap / HLS / NGINX through PFSense Firewall from outside network (Times Out)

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 146 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      carrzkiss
      last edited by carrzkiss

      Hello, All.
      (Can listen locally from the domain with port 9443, just not outside the network.
      This Liquidsoap server has been running for over a year now, I've just never tried listening to it outside the network before now.)

      I've only been listening to the Liquidsoap Stations locally and was heading into town, so I wanted to listen to the station. However, as I left the house, the stream would not play through my phone, but it was playing before I left while connected to the network.

      I finally got around to testing it by setting my phone to Wi-Fi Hotspot.
      And connected my secondary laptop to the Hotspot.
      When I ran the page alone, I encountered the following error.
      (This is just the page mysite.com:9443, not the stream, as it simply will not play.)

      The site can't be reached.
      And
      Since the site can't be reached, it is also not picking up the SSL Cert either.

      Which tells me that it is not able to get through the Firewall.

      Here are screenshots of both NAT and Rules settings.
      NAT
      NAT.png
      Rules
      Rules.png

      Am I missing something?

      Thank you.
      Wayne

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @carrzkiss
        last edited by

        @carrzkiss well your other rules are not triggering. Only that rule to 8080 is being triggered is how the top rule shows 0/520B and the others are all 0/0

        This means the first rule has passed 520B but currently has no states open (that first 0)

        This means nothing has gotten to the firewall on these ports. Do you have rules above that would block? Do you have rules in floating?

        As a simple test I would validate that pfsense can see traffic on those tcp ports.. Start a packet capture on your wan interface this traffic should hit and then go to say can you see me . org and send some traffic to tcp port.. For example that 8007 port..

        So while I have nothing that would allow that port 8007 to anything - I can see from the packet capture that the traffic does indeed get to pfsense wan interface.

        port.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        C 1 Reply Last reply Reply Quote 0
        • C
          carrzkiss @johnpoz
          last edited by

          @johnpoz
          The issue was port 9433.
          Once I changed it to 9443, it started working.

          Port 8080 is now showing: 0/3 KiB
          Port 9443 is now showing: 1/1755 KiB

          I don't have any idea when port 9443 was changed to 9433.
          I could have set it to that during internal testing to ensure no one could access it from outside the network.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @carrzkiss
            last edited by

            @carrzkiss glad to hear your sorted, yeah I run ha proxy on 9443 as well ;) its a common port used for ssl traffic when you don't want or can't use normal 443.

            I have tcp 443 open for vpn alternative port, when it its not vpn traffic the port share in openvpn sends it to my haproxy via port 9443 which then sends to my service behind pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            C 1 Reply Last reply Reply Quote 0
            • C
              carrzkiss @johnpoz
              last edited by

              @johnpoz I have a Windows IIS Server Farm running on port 443, so I have to use 9443 for my Linux stuff.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @carrzkiss
                last edited by

                @carrzkiss why is that? HA proxy can listen can send stuff based on the uri to different machines.

                something.domainX.tld goes to your IIS IP
                otherthing.domainX.tld goes to your linux box.
                etc..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.