Port forwarding to Docker server

dridhas · Oct 18, 2021, 7:37 PM

Hello,

Recently got pfsense running and the only thing im missing is to configure the access to my docker server using my subdomains.
if i enter my external ip address i get the pfsense web gui.
This is what i have for the port forwarding rule:

and with this i get a certificate error which i can tell its the selfcert from pfsense.

now, within docker i have Nginx proxy manager that handles the accesses to the different containers via their own subdomain.
with the ISP modem it was just Modem > port 443 to 4443 > container.

the LAN firewall rule has no blocks.

would you be able to guide me on being able to reach the nginx proxy manager using
port forwarding?

Thanks in advance!

viragomann · Oct 18, 2021, 7:42 PM

@dridhas said in Port forwarding to Docker server:

if i enter my external ip address i get the pfsense web gui

Set the web configurator to listen on any other port in the advanced settings > admin page.

dridhas · Oct 18, 2021, 7:54 PM

@viragomann ok, webconfigurator's port has been updated to something else.
now when i enter the external ip, nothing happens which is good...

next step is to be able to enter my subdomain to reach the container server

johnpoz · Oct 18, 2021, 7:58 PM

@dridhas said in Port forwarding to Docker server:

next step is to be able to enter my subdomain to reach the container server

You really need to test this from outside your network... If your trying to hit your wan IP from something internal, you would need to do split dns to resolve to the local IP or you would need to setup nat reflection.

https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

viragomann · Oct 18, 2021, 7:59 PM

@dridhas
And the source in the port forwarding should be "any".

dridhas · Oct 18, 2021, 8:19 PM

@johnpoz im testing this outside my home network (cellphone on LTE)

johnpoz · Oct 18, 2021, 8:25 PM

@dridhas as @viragomann mentions - this is wrong

While it doesn't actually have to be "any" it sure can not be your wan address. Would your phone coming from your LTE connection be using your wan address ;) heheh as its IP..

I have many of my port forwards locked down to certain source IP ranges, my son's IP for example for one. I use pfblocker alias to limit to say US IPs for other, etc. But yeah wan address as source is never going to work ;)

dridhas · Oct 18, 2021, 8:55 PM

@johnpoz i updated the PortForwarding rule to this:

and now im getting a 502 Bad gateway.
which i would say its an improvement...

viragomann · Oct 18, 2021, 9:14 PM

@dridhas
The destination has to be "WAN address". This is the IP you are accessing from outside. Only the source cannot be WAN address.

dridhas · Oct 18, 2021, 9:50 PM

@viragomann got that updated and still cant access the server from outside...

viragomann · Oct 18, 2021, 9:57 PM

@dridhas
And what do you get now?

Is there any state or traffic shown at the associated rule in Firewall > Rules > WAN?

dridhas · Oct 18, 2021, 10:01 PM

@viragomann this is what ive got:

viragomann · Oct 18, 2021, 10:09 PM

@dridhas
So it shows some traffic already.

Are the gateway settings correct on the destination device?

To investigate take a packet capture (in Diagnostic menu) on the internal interface facing to the destination device. Specify the port 4443 for filtering. Start the capture and try an access from outside.

If you network settings are correct you should see request and response packets. Post what you get, please.

dridhas · Oct 18, 2021, 10:18 PM

@viragomann i dont see any packets being captured, it shows blank

viragomann · Oct 18, 2021, 10:22 PM

@dridhas
Dude, you NAT rule is wrong again!
The source port has to be "any", as well as the source IP!
The destination is "WAN address", destination port "443"!
At redirect target port you can enter your internal destination port, which might be 4443.

johnpoz · Oct 18, 2021, 10:57 PM

@dridhas Here is example port forward to different port external to what the port this is sent to the server port.. With the associated firewall rule.

Just where mine is locked down to a specific pfblocker alias - yours should be any.

dridhas · Oct 18, 2021, 10:57 PM

@johnpoz @viragomann sooooo... i got frustrated and decided to nuke pfsense and start fresh.
now, a few minutes after and following the advice provided above, i got able to do the port forwarding successfully.

i can now access my docker server from outside my network.

now its turn for the internal access, but first, i need to reconfigure the wifi...

this is how the WAN rules look so far:

and as you can see, there is more traffic now flowing thru.

johnpoz · Oct 18, 2021, 10:58 PM

@dridhas said in Port forwarding to Docker server:

now its turn for the internal access

huh? Why would you do that?

dridhas · Oct 18, 2021, 11:04 PM

@johnpoz i started the pfsense project a couple of days ago when i upgraded the home network, i didnt have much configs to worry about.
now that i have this setup and running correctly, i can create a backup just in the event i need to nuke it once again...

dridhas · Oct 19, 2021, 2:54 AM

@johnpoz so, after a hiccup, somehow i forgot to assign static dhcp address to the server and the access to docker server stopped working.
Once the DHCP static ip was set, everything went back to normal..