bluetrain

joined 1 year ago
MODERATOR OF
 

I finally decided to upgrade my opnsense box after a couple of years of deferring and, in the heat of the moment, forgot to double-check I had configuration backups. After the upgrade to OPNsense 24.1.8-amd64 (FreeBSD 13.2-RELEASE-p11), there were some issues with LAN clients accessing the WAN that I solved by resetting to default settings. (I have not modified much, so it’s somewhat trivial to add back aliases and rules.)

Now, however, I am facing a problem where port forwarded services do not work. I am running Nginx Proxy Manager to handle the various web services on my LAN and the setup has served me well for years. I have made no changes to Nginx PM, to my port forwarding rules (see below), or to the individual services and their boxes. Put simply, everything was working 100% without issue until I foolishly upgraded.

Firewall: NAT: Port Forward

I suspect the issue is a double NAT issue with my godawful BGW320-505 gateway. I have had this configured to IP passthrough mode without issue for years. But, after the Opnsense upgrade (and defaults), I did notice that my interfaces display what looks to be an upstream-gateway assigned IP address. Previously, my upstream WAN gateway was the IP address of the BGW320-505 box.

IP passthrough mode

System: Gateways: Configuration

Interfaces

Despite all of the above, there seems to be some weird DNS issue/NAT issue. The strongest example I’ve uncovered of this is, from my LAN directly accessing my WAN IP. While this should show me my http-facing webserver, the request times out for a while then eventually resolves to a 404 page but–and this is the bizarre part–not before appending :440 (my webgui port for Opnsense) to the WAN IP in the address bar. (Note that this does not occur when accessing my direct IP address from exterior to the network.) I’m hoping that is the key to solving this but, after more than 15 hours spent researching this and trying various solutions available on forums/reddit/etc., I have not found anything to work.

Please help!

[–] [email protected] 1 points 4 months ago

Gave it a shot (1472) but no luck.

[–] [email protected] 1 points 4 months ago

Any suggestions on what to try?

[–] [email protected] 1 points 4 months ago

Good question.

LAN device(s) pointed to WAN IP. LAN devices pointed to LAN IPs resolve fine and display webserver content. Cellphone (no WiFi) pointed to WAN IP does not exhibit the appended Opnsense webui port behavior.

[–] [email protected] 1 points 4 months ago

I'm not sure what you're suggesting but I am confident that IP Passthrough was set to DHCP Fixed on the BGW320-505 with the MAC of the Opnsense NIC before and after the Opnsense upgrade, if that helps.

[–] [email protected] 1 points 4 months ago

So I’ve tried spinning up new turnkey containers for nginx to eliminate this as a potential issue. Everything can be accessed internally but new or old config alike, it’s the same inaccessible from WAN issue.

[–] [email protected] 1 points 11 months ago (2 children)

TP-Link Deco M5 x2. I have not mapped signal strength across rooms (mostly because their locations are hardstuck because of wiring limitations). Usually less than 20 clients (e.g., phones, tablets, a PC or two, IoT devices). Only 2 other networks sharing my channel (lowest available channel usage). 2.4 & 5 GHz. Walls are standard drywall with wood studs.

[–] [email protected] 1 points 11 months ago (4 children)

With 2 APs now, I'm usually seeing less than 80Mbps and range is poor (e.g., not even getting 5Mbps just two rooms away).

[–] [email protected] 1 points 11 months ago

Usually seeing less than 80Mbps and range is poor (e.g., not even getting 5Mbps just two rooms away).

[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago (1 children)

So I've been patient (22 days have elapsed) but most of my communities still say this. I'm thinking it's more than just a delayed sync issue at this point... Any suggestions?

 

What's happening?