Trouble actually hitting the correct applet from external connection
-
Hey guys. Having a heck of a time figuring out how to hit the actual applet im targeting when trying to connect from my domain to an applet hosted on TrueNAS core. Im guessing it's a firewall issue as I can hit the TrueNAS login screen, but no the applet unless I specify the port.
Im using HAProxy to convert my incoming request and send it where its supposed to go.
So, for example, im running an ombi applet on TrueNAS at 192.168.2.2 on port 3579. HAProxy is set up to send traffic coming in from ombi.mywebsite.com (assuming its coming in on port 80 or 443). Problem is, when it hits my network, it is directing to the login page for TrueNAS (im assuming its keeping the 80 or 443 port and not directing it to port 3579... and i can not figure out why.)
Any help is appreciated, firewall rules can be viewed here:
https://pastebin.com/X6eU5HPS(I can also upload screenshots if its easier to view them that way, just let me know)
And thanks in advance for any/all help
-
@menethoran said in Trouble actually hitting the correct applet from external connection:
(im assuming its keeping the 80 or 443 port and not directing it to port 3579... and i can not figure out why.)
Because your not sending it there? I run overseerr vis ombi now, what does your backend look like? Are you not using address+port?
The ssl offload is setup on the frontend.
And yes screenshots are easier and faster to read.
-
@johnpoz nope, it looks fairly similar to yours (minus mine has ssl certs attached to it that its not using)
(getting a server error uploading pics)
-
This post is deleted! -
@menethoran I should also point out that, if i attach the trailing port to the web address (3579) it connects to where its supposed to just fine.
-
@menethoran what are you firewall rules? Are you allowing 80/443 to hit your haproxy frontend?
Sorry not going to go reading through all that text, just post a screenshot
BTW - you might want to edit your image you posted, its got your fqdn in there - so yeah I know it works if you put in the port ;) I just hit it..
You sure 80/443 are even allowed to you - possible ISP blocks? Do a simple test at can you see me .org while you sniff on your wan - do you see the traffic to those ports?
-
@johnpoz thanks for pointing out the FQDN being (doing this with a 2 year old being a 2 year old and a screaming 7 month old next to me :) )
and no worries about reading it all, ill post my firewall in just a minute (need to take screen shots).
And, how do i make sure im allowing 80 and 443 to hit my HAProxy?
as for ISP blocks, im on Commiecast, i dont think they block any ports but, i do not see any traffic on those ports (to be fair, i dont see much traffic on any ports... but, im REALLY REALLY new at this so, i may not be looking at the right place)
-
-
@menethoran lot of rules that don't make a lot of sense.
WAN net as a source isn't going to work, that isn't the internet - that is just your wan net.. Do you have lots of clients on your wan net? is 192.168.2.2 coming in from your wan? But then you also have it listed as destination?
Looks like a mess to be honest, bunch of useless rules..
So your allowing 443 to 192.168.2.2, where is the rule on your wan that lets the internet hit your frontend port of haproxy? Which would be 443 or 80 and 443, etc.
And your iot rules - how is wan net a source? I think you have a basic lack of understanding how rules are evaluated.
Rules are evaluated as traffic enters an interface from the network that interface is attached to.. How would an IP from whatever your wan net is be source of traffic from your iot network into the iot interface?
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
Wan net is NOT internet, its just the network your wan is attached too.. so like 1.2.3.0/24 or whatever your IP is on your wan and the mask...
-
@johnpoz a bunch of useless rules sounds accurate :)
Again, VERY new at this... im trying to get it to work, will worry about housekeeping if it becomes a problem or when i get the things i need working to work (a lot of the rules were/are attempts to get something to work... and then left there til i can figure out if they are needed or not.)Ill get there :)
so, source should be what? if its coming from the internet and i need it to go to the LAN (and no, nothing is really hosted on WAN. PfSense is new to me, so im trying to unlearn old habits from setting up much less technical routing situations)
-
@menethoran I also do know (now) that rules are evaluated top down (i actually thought, for a while, it was opposite of that).
And i have the understanding of coming from something like DD-WRT, functionally similar with a lot of the technical portions stripped out... and now im learning this. And i recognize that i have a LONG way to go)
gotta fail to learn... gotta learn to do it.
-
@menethoran What I would do - and happy to help is git rid of all those rules.. Start with a clean slate..
So you need rules to your plex (I have the same) and you need rules to allow access to your ombi.. Do you have any other services you need to allow from wan? If not those are the only 2 rules you should have. Plex rule would be auto added when you create your nat.
Use of HAproxy is different.. It normally would be listening on your wan interface, on the port you want it to proxy.. So 80 and 443.. So create rules that allow that.. Then those are the only 2 rules you would have on your wan.
All of those rules on iot don't make any sense either.. Just leave the any any rule at the end, and we can setup whatever rules you want.. Again happy to help. Just say what you want to do wand we can go over how you would do that. But all those rules on your iot to wan net make no sense at all.
-
@johnpoz ive got more services than ombi and plex. but im not too much worried about those right now, if i can stumble through those, i can probably figure out the rest on my own.
As for the firewall rules/NAT, i created the firewall rules before creating the NAT (took forever to figure out that i needed the NAT 1:1 to get plex working correctly outside of the network...
-
@menethoran said in Trouble actually hitting the correct applet from external connection:
i needed the NAT 1:1 to get plex working correctly outside of the network...
You do not need any such thing.. A simple normal port forward to 32400 is all that is needed.
When you create a port forward, by default it would auto create the firewall rule for you - unless you told it not too. You just need to make sure the placement of the rule is correct on the wan if you have any rules on the wan that would block it, etc.
-
@johnpoz i tried the simple port forward. I think its because i have plex as an applet (KVM) on TrueNAS Scale (Im used to TrueNAS core, but moved away from that when i moved with the PfSense over Unifi (VERY glad i did) but still need to learn a lot.)
And, i may not have needed the NAT rule, but whatever it did (i assume the firewall creation rule the way it made it) worked to gain access outside the network for Plex (before that, it would work for about 3 minutes then disable the outside connection (it was never long enough for me to actually test).
Anyway, i "commented out" (not sure the PfSense term for disabling a firewall rule) anything not needed (anything with a 0 next to traffic)
-
Still no joy (feel free to check on your end as you know the domain to go to (cloud.domain.com is also setup and doesnt work, just leads to the login page for TrueNAS )
-
@menethoran where is your frontend setup? for haproxy, and did you remove pfsense from listening on 80 and 443?
You have to setup the front end to match up to your backend that sends to port..
I hit your fqdn now on 80 I just hit truenas.
btw your rules should be wan address for destination.
If I hit your ombi fqdn on https: It tries to send me to 192.168.2.2:9001 So your ha proxy is clearly not setup correctly. But that looks more like a redirection vs proxy... Lets see your port forward setup..
-
@johnpoz i think thats because i have all https requests going to nextcloud (on 9001)...
-
@menethoran and again useless rules. How would the source port be 443? that would never be the case.
And how would the dest be 192.168.2.2 and natted to 192.168.2.2 to 3579, remove that rule as well.
Lets see your frontend of haproxy setup.
-
@johnpoz when you ask "did you remove pfsense from listening on port 80 and 443" do you mean, did i change the port used to access the pfsense gui? if so, yes. (is that problematic?)
