Browser Cannot Access HamClock

newUser2pfSense

Hello. If you're an amateur radio enthusiast, you may know about HamClock. I installed HamClock on my Linux Mint Debian Edition and it works without issue; it's pretty cool. I attempted to access HamClock from my Firefox browser using the correct URL of:
http://192.168.1.120:8081/live.html

Needless to say, I can't open HamClock from my browser. This is likely a firewall issue. I added the firewall rule in the attached screenshot. Anyone ever try to open HamClock from a browser? If you were able to, what did you do in pfSense to allow access? What firewall rule did you use? Thanks.

HamClock Firewall Rule.png
The HamClock_Port is set to 8081

johnpoz

@newUser2pfSense as you can see that rule has never been evaluated see the 0/0 there on the left. Is the device your trying to access it from also on this 192.168.1 network? if so then that traffic would never even go to pfsense.

If your on another local network connected to pfsense, then yes your rules need to allow it, but there can't be any rules above it that would block it or force traffic out say your gateway via a policy route.

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. Rules in floating would be evaluated before rules on an interface.

But again if the client with the browser is trying to access 192.168.1.120:8081 is on the same network pfsense would not be involved in anyway.

newUser2pfSense

@johnpoz Thanks for the reply. I didn't think pfSense would be involved seeing the 192.168.1.120 computer is the computer HamClock is installed on. I'm actually sitting at the .120 computer trying to access HamClock using a browser with the URL I provided. I just thought I would ask considering a HamClock point of contact basically stated that I couldn't access HamClock using a browser because I have a network problem.

johnpoz

@newUser2pfSense your on the .120 box itself? did you try just loopback 127.0.0.1:8081 - its possible the service is only listening on loopback.

If your actually on the .120 box and you can not talk to itself, its not a "network" problem - its a software/box problem.

Look to make sure the service is listening on that port and what IPs its listening on.. do a sockstat or netstat to see..

example - I run unifi controller that listens on 8443.. you can see its listening on all IPs of that box

root@UC:/home/user# netstat -anl | grep LISTEN
tcp        0      0 127.0.0.1:27117         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8880            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8843            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:6789            0.0.0.0:*               LISTEN

See the tcp 0.0.0.0:8443 there..

Gertjan

@newUser2pfSense said in Browser Cannot Access HamClock:

I couldn't access HamClock using a browser because I have a network problem.

You could even remove the network cable from the .120 device - and this will create a network problem ^^ and you would still be able to visit the Hamclock at port 8081.
You couldn't use 192.168.1.120, as the interface is down, but that's why 127.0.0.1 or localhost exists.

And yes :

traffic emitted from "192.168.1.120", your browser using 'some port like xxxxx), conenction to 192.168.1.120 port 8081 will never even leave the interface - going over the wire - and reach pfSense, so that's why you "0/0 B" = this rule never saw any traffic matching it.
After all, pfSEnse doesn't receive traffic on its LAN interface (192.168.1.0/24) which is send to the same 192.168.1.x/24, which is a device on the same network. These devices talk directly to each other, and don't need pfSense to 'route' as there is nothing to route.

The real issue is this :
You have a process running on your PC that "listens" on port 8081.
Check the settings of your hamclock : it listens on what interface ?
127.0.0.1 or local host ?
The hardware interface IP = 192.168.1.120 ?
Or both ?

Believe it or not, you have to crate a firewall rule, but not on pfSense, but your your 19.168.1.120 device. Maybe even for the 127.0.0.1.
If this device is a Windows PC, this is your chance to discover the firewall GUI of Microsoft

If the HamClock was written as it should, you should have seen, when running for the first time, a message box popping up that would have ask you if you allow the hamclock process to listen on "the interface". Saying No at that moment : you can't connect to it ...
if not, visit the firewall and add (or modify) a rule that allows, at least, incoming TCP traffic on 1270.0.0.1 to port 8081, and you'll be fine.

newUser2pfSense

@Gertjan I have HamClock installed on my Linux Mint Debian Edition distro. I tried http://127.0.0.1:8081/live.html with no luck as well. When I ran the netstat command, I do have a LISTEN on 127.0.0.1 as seen in the below screenshot -

I'm not using my Linux OS firewall at all. I'll look for a HamClock configuration file. If I can't find a configuration file, I'll set the Linux OS firewall to allow incoming TCP traffic on 127.0.0.1 to port 8081 and see if that works.

johnpoz

@newUser2pfSense that sure isn't hamclock, or if it is it isn't listening on port 8081, its listening on 631.. Which is printing port.. IPP

When you ran your netstat - do you see anything listening on 8081, if not then no your not going to be able to talk to something that is not listening

newUser2pfSense

So I added a Linux OS firewall rule:

When I use: http://127.0.0.1:8081/live.html , I still get:

When I run netstat as above, I still get the same result as above. Nothing listening on 8081.

newUser2pfSense

As a test, I created a pfSense LAN rule for Any Any just under the Anti-Lockout Rule and it didn't work as well:
any any.png

johnpoz

@newUser2pfSense said in Browser Cannot Access HamClock:

above, I still get the same result as above. Nothing listening on 8081.

Well yeah because its not running.. What firewall rule you have or not have has zero to do with a service actually running an listening on a port.. I would suggest you go to your hamclock support area because if your netstat output doesn't show something listening on the port your trying to connect to - then its not running.

newUser2pfSense

When I run the following command:
ps ax | grep hamclock

I get the following result:

Not sure what this result is referencing.

johnpoz

@newUser2pfSense its referencing your query..

user@UC:~$ ps ax | grep hamclock
   3101 pts/0    S+     0:00 grep --color=auto hamclock
user@UC:~$

I don't have hamclock installed and see the same output..

If something was running you would see say for example here is sshd running

user@UC:~$ ps ax | grep sshd
    488 ?        Ss     0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
    761 ?        Ss     0:00 sshd: user [priv]
    791 ?        S      0:00 sshd: user@pts/0
   3120 pts/0    S+     0:00 grep --color=auto sshd
user@UC:~$ netstat -anl | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0     52 192.168.2.13:22         192.168.9.100:25684     ESTABLISHED
user@UC:~$

If your netstat output doesn't show something listening on that port 8081 then your never going to be able to connect to what you think is suppose to be running on that port, because nothing is.

newUser2pfSense

All is good now with HamClock. I was able to find in the instructions how to launch it in a browser. Works like a charm. Thanks for all the help.