cant get access from outside to webpage
-
hi all,
I am stuck at a problem and require some feedback. Probably it is just a small thing, but I cannot figure it out.
Target:
I want to host a webpage, reachable from the outside.what I did:
I set up a VM with wordpress, which is reachable via 192.168.0.189
I set up an acme lets encrypt certificate
I set up HAproxy as reverse proxy
I created firewall rules, so that the traffic can reach HAProxyI assume that there is a problem between the rules or the ha proxy.
network topology:
ISP router 192.168.1.1
pfsense WAN 192.168.1.120
pfsense LAN 192.168.0.120
VM with wordpress 192.168.0.189Pictures:
force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-
is further information required?
-
Where are you testing from? Have you tested from a device in the 192.168.1.0/24 subnet?
What result do you see when you try to connect?
Steve
-
yes connected a laptop to ISP router (WAN Port of pfSense) which is in 192.168.1.x subnet
tried
-
https://anschreikurse.duckdns.org
-
http://anschreikurse.duckdns.org
-
http://nc.anschreikurse.duckdns.org
-
https://nc.anschreikurse.duckdns.org
also tried to ping those addresses without success.
is it correct to configure in haproxy just the ip address of the webserver or shall the webserver also have the www name?
maybe one more remark, I have openVPN also on pfsense on port 443, but of course I deactivated the service and temporary disabled the firewall rules.
-
-
@pooperman said in cant get access from outside to webpage:
anschreikurse.duckdns.org
Those URLs are going to resolve to the external IP of the ISP router. Unless that has some sort of NAT reflection it will never hit HAProxy when you test from there.
Try testing from a different public IP so the ISP router forwards it to HAProxy.
Steve
-
ISP router just has port forward on 80 and 443 to 192.168.1.120 (wan of pfSense). nothing else is configured there.
Anyhow, also tried with phone over cell network( vpn deactivated ;-) ), same resultI still think, that something in the pfsense settings is not correct.
below NAT table
looks good to me, there should nothing interupt the traffic related to my issue
-
Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?
Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?
Steve
-
@stephenw10 said in cant get access from outside to webpage:
Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?
Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?
Steve
when I took the screenshot I moved back to have the initial state. During testing rules were on and openVPN off.
Give me a few minutes, will set it up and show the log files.
-
Rules are enabled
that is the page from LAN view
that is the log
I know there is a different view for logs, which can be copied, but i cant find it.
-
If you enable logging on those pass rules on those pass rules then traffic that is matched and passed will be shown in the firewall log.
However you can see from the state counters there that nothing had been passed by them when that screenshot was taken.
It looks like no traffic is arriving on the WAN for ports 80 or 443. Check the ISP router is actually passing it.
Steve
-
@stephenw10
i am very sure it is not related to ISP router, as port 443 for openvpn never had any issues.however, i put it into DMZ mode, so there is absolutely nothing what might block it.
still no sucess.
-
@stephenw10
when I use anschreikurse.duckdns.org from phone I get a warning for certificate is untrusted. I checked the cert and it is the root CA from pfSense.If I click yes continue unsafe, it shows me loginpage of pfsense.
So that shows me, isp router is working fine and dns resulution is also working
-
I assume that screenshot was taken before you had tested that then as there are no connections shown.
Ok, you will need to change the port the pfSense GUI is listening on in Sys > Adv > Admin Access. You cannot have nginx and HAProxy both listening on 443.
HAProxy will logged that. It would have failed to start the frontend on 443.Steve
-
@stephenw10
good point!i havent seen any notification but yes makes sense. so pfsense login is now on different port.
I came to the setting nat reflection mode for port forwards under admin advanced
it is set to disabled. is that correct?
-
That's the default setting. You do not need NAT reflection here at all, HAProxy proxies the traffic is does not forward it.
Steve
-
-
With the correct certificate?
-
I think so
cert is for anschreikurse.duckdns.orghaproxy frontend is also for anschreikurse.duckdns.org
backend is nc.anschreikurse.duckdns.org -
