tofubl

tofubl OP , 4 months ago (edited 4 months ago) to Selfhosted in [SOLVED] Firewall noob vs. port forward

I wrote it in reply to another comment, but the traffic reaches the service on 10.0.0.22:8888. The problem seems to be with the return path, i.e. Hairpin NAT, but I don't know what it is.

edit: scratch that, it's not hairpinning.

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

I appreciate you taking a look. It does indeed have standard rules to drop private networks (192.168, 10.0 and so on), but I have them disabled.

The forward specifies range 8888-8888 and translates it to 8888.

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

Do you mean these options under Interfaces > WAN? I have them disabled after they did show up as a block in the log.

1000014424

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

Further digging: The request reaches the docker container, which returns 200 OK.

my-apache-app | 2024-02-09T12:53:22.925676854Z 192.168.0.123 - - [09/Feb/2024:12:53:22 +0000] "GET / HTTP/1.1" 200 161

What is going on here? Do I need some rules in the other direction, on top of "Automatic outbound NAT rule generation"?

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

And here's what this request looks like in the firewall log:

https://discuss.tchncs.de/pictrs/image/f4943f9c-408d-42bc-a374-0fa083feff61.png

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

Can you please elaborate? Who's restricting 192.168.0.x? It's not actually WAN, right? It's just a local network I connected the firewall to.

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

Like this?

~$ curl 192.168.0.136:8888
curl: (56) Recv failure: Connection reset by peer

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

Here's some more: From behind the firewall (i.e. from a 10.0.0.x IP) the port forward works (which would be a reflection, I suppose?).

From in front of the firewall, I get "connection reset", which I interpret as somewhat working but then breaking somewhere else. Does that make sense?

1000014421

tofubl , 4 months ago to Technology in Apple Vision Pro Owners Are Struggling to Figure Out What They Just Bought

i times i is -1, though. Imagine that!

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

1000014418
1000014416
1000014417

The docker01 alias is a host alias with 10.0.0.22 and there's an apache test container running on port 8888.

I have created a pass any in rule on WAN (just until I figure out what's wrong)

In firewall > settings > advanced, I have set "reflection for port forwards" and "automatic outbound Nat for reflection" although I'm not sure if that is needed.

Is there any other info I can provide?

tofubl OP , 4 months ago to Selfhosted in [SOLVED] Firewall noob vs. port forward

I am trying to learn in a safe environment without breaking my existing network. It's not actually a WAN, except from the firewall's point of view.