05-16-2018 09:55 AM
i've just installed an Edgerouter X (v1.10.3)
DSL modem connected to eth0 (PPPoE) - internet access is fine.
eth1-4 are just plain LAN ports
1 LAN on 192.168.1.x
i have a firewall rules set to open a small set of ports for WAN connection IN - these are working ok.
however when i try to connect to a local device from inside the LAN it fails... ie http://192.168.1.2:8787
i'm assuming i must have the firewall rules set wrong.
can anyone point me in the right direction? i'm new to EdgeOS.
05-16-2018 10:09 AM
Actually, if devices are in the same broadcast domain, these devices can talk amongst each other without that the firewall/router is involved.
If you connect devices to a simple switch, do they communicate fine ?
05-16-2018 10:11 AM
At face value, your issue shouldn't exist if you have a single LAN and are trying to access your device from inside the LAN via the LAN address. That is because the firewall and routing functions are not involved for L2 communications.
you should first check to make sure that 192.168.1.2 has an active service on port 8787 and that it is not blocked by a local (host-level) firewall -- your port forwarding rules only show 80 and 32400. This can be done on that host by trying to connect to localhost:8787.
Otherwise, we'll need to see your full (sanitized where necessary) configuration to help any further. Please copy and paste the output into a spoiler + code tag:
show configuration | cat
05-16-2018 10:19 AM
8787 is not open on the external firewall because nginx takes the traffic on port 80 and then passes it to port 8787 locally.
this is why i know 8787 is working because externally i can access the service.
also, if i jump on to 192.168.1.2 and load http://localhost:8787 it loads fine.
this confirms that the service is running and on that port.
nothing has changes with regards to server config. only change is edgerouter replacing existing router.
here is the config
05-16-2018 10:29 AM
Whas working with the previous router ? Is Not clear, if nginx redirect the tcp 80 to tcp 8787... Did you try by typing your public ip address/fqdn:80 from inside your lan ?
05-16-2018 10:33 AM
i have tried both the FQDN and the local IP address from inside my network - both fail
outside my network FQDN connects fine.
to clarify nginx (which runs on 192.168.1.2 on port 80), blah.com/servicename nginx direct to port 8787 internally via a reverse proxy.
however the nginx part is irrlevant here.
05-16-2018 10:45 AM
Can you try
sudo tcpdump -ni switch0 host 192.168.1.2 and port 80
Then, from another host connected to the switch0 (eg the host 192.168.1.10), type
05-16-2018 10:51 AM
Is only for check if hairpin nat is properly working, we should see packets sourced from 192.168.1.1 and destined to 192.168.1.2, on port 80 (and, usually, even the responses ...)
05-16-2018 10:56 AM - edited 05-16-2018 11:02 AM
ubnt@ubnt:~$ sudo tcpdump -ni switch0 host 192.168.1.2 and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on switch0, link-type EN10MB (Ethernet), capture size 262144 bytes 18:55:35.749784 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [P.], seq 2387596487:2387597309, ack 11148410, win 253, length 822: HTTP: POST /transmission/rpc HTTP/1.1 18:55:35.752136 IP 192.168.1.2.80 > 192.168.1.1.54263: Flags [P.], seq 1:290, ack 822, win 256, length 289: HTTP: HTTP/1.1 200 OK 18:55:35.794706 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [.], ack 290, win 252, length 0 18:55:56.747513 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [P.], seq 822:1397, ack 290, win 252, length 575: HTTP: GET /22.214.171.124 HTTP/1.1 18:55:56.748223 IP 192.168.1.2.80 > 192.168.1.1.54263: Flags [P.], seq 290:1002, ack 1397, win 254, length 712: HTTP: HTTP/1.1 404 Not Found 18:55:56.790398 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [.], ack 1002, win 256, length 0 18:55:56.957079 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [P.], seq 1397:1941, ack 1002, win 256, length 544: HTTP: GET /favicon.ico HTTP/1.1 18:55:56.957497 IP 192.168.1.2.80 > 192.168.1.1.54263: Flags [P.], seq 1002:1714, ack 1941, win 252, length 712: HTTP: HTTP/1.1 404 Not Found 18:55:56.998682 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [.], ack 1714, win 253, length 0 18:56:05.752000 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [P.], seq 1941:2763, ack 1714, win 253, length 822: HTTP: POST /transmission/rpc HTTP/1.1 18:56:05.755329 IP 192.168.1.2.80 > 192.168.1.1.54263: Flags [P.], seq 1714:2003, ack 2763, win 256, length 289: HTTP: HTTP/1.1 200 OK 18:56:05.797704 IP 192.168.1.1.54263 > 192.168.1.2.80: Flags [.], ack 2003, win 252, length 0
that was just a small section, it was continuing for quite some time.
should add, that my unifi controller that runs on 192.168.1.2 also cannot be connected to by any local device other than the host.
so clearly something is very wrong with internal LAN connections.
05-16-2018 11:38 AM
Your config file looks fine. I suspect this is an issue with your nginx configuration.
@redfive had suggested connecting your devices to a simple switch (unmanaged, not a router). Try that -- if you still cannot connect, your problem is certainly not related to your Edgerouter.
05-16-2018 11:43 AM
basically it's been working for months, disconnected the old router, connected the new one, configured it then re-connected the server.
end result, not working.
i don't have a simple switch to test, but the only change in the config is the edgerouter replacing a fritzbox.
i'll try rebooting everything and see what happens.
05-16-2018 02:05 PM
ok an update
local devices are now accessible using their IP address and port.
however when i try to connect to my server using the FQDN it fails when on the LAN
when off my network
http://blah.com/service does work correctly.
so nginx is working when i'm not on my LAN.
previously on old router it worked on both LAN and WAN.
05-16-2018 02:15 PM
Odd enough, is possible that nginx does the redirect only for connections coming from remote networks (and not its own network) ?
05-16-2018 02:34 PM - edited 05-16-2018 02:39 PM
what about when you type:
Does that work as expected? (or better yet, please describe the result.)
05-18-2018 02:29 PM - edited 05-18-2018 02:30 PM
ok, some update, sorry for the delay.
internal LAN is now ok
eg 192.168.1.2:7878 works fine.
192.168.1.2/service works fine.
however, it appears that even though i've opened ports on the firewall for incoming external traffic they are not open.
i've checked the ports using one of those website that checks and they have all come back as closed.