Trouble forwarding port 443

Installing and Using OpenWrt Network and Wireless Configuration
1

Been trying to create an SSL cert via nginx-proxy-manager and it fails to create an SSL challenging my domain. Checking ports I see I have forwarded port 80 properly but for whatever reason any port checker still tells me 443 is closed.

/etc/config/firewall here

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.5.241'
	option dest_port '443'
	option name 'HTTPS'
	option proto 'tcp'

output of uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@defaults[0].mtu_fix='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='PiVPN'
firewall.@redirect[0].src_dport='1194'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].dest_port='1194'
firewall.@redirect[0].dest_ip='192.168.5.110'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.5.241'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].name='HTTP'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].dest_ip='192.168.5.241'
firewall.@redirect[2].dest_port='443'
firewall.@redirect[2].name='HTTPS'
firewall.@redirect[2].proto='tcp'

Any Suggestions?

2

Your config looks fine. Check if port 443 is open and responding on 192.168.5.241.

From the server itself (192.168.5.241), check if the server is listining to port 443. I'm assuming you're using some Linux distro, try:

ss -tulpn | grep 443

If the server is indeed listening, check if the firewall isn't blocking that port by checking if the port is open on a differen device in the same LAN networkt. Again in Linux:

nc -zvw3 192.168.5.241 443
1 Like
3

Thanks for the direction. heres the output of tulpn

ss -tulpn | grep 443
tcp   LISTEN 0      4096                                   *:443              *:*                                                                                users:(("docker-proxy",pid=1921,fd=4))

Im assuming LISTEN 0 means its not listening? Which would make send if port checkers are telling me its closed?

4

If you have run these test on the machine with 192.168.5.241 itself, it means that the server is listening on port 443. So that works. The numbers in the third and fourth column just shows the send and receive queue and are not relevant here.

Now check if that port is reachable from another machine in your LAN network (perhaps the firewall on your server is blocking that port).

Edit: By any chance you're running your OpenWRT router behind your ISP router? That only works if your ISP device acts as a modem only. If it has router functionality, you should do double port forwards or put your OpenWRT router in the DMZ on your ISP router. I guess not because port 80 is open, but just to be sure.

5

I just have the one router running openwrt. I tried running that same command on my desktop and it prodces no output.

6

The NC command on a Linux Desktop right? However, behavior might differ between distros. If NC is not working, there's always good old telnet (also works in Windows if that feature is enabled) and nmap. NC should yield this output:

$ nc -zwv4 192.168.222.10 443
nc: connect to 192.168.222.10 port 443 [tcp/https] succeeded!

$ nc -zwv4 192.168.222.10 4443
nc: connect to 192.168.222.10 port 4443 (tcp) timed out: Operation now in progress
7

No, sorry I used the previous command. The output now is

nc: connect to 192.168.5.241 port 443 (tcp) failed: Connection refused
8

What is the server (192.168.5.241) operating system? Because it looks like the firewall is blocking that port.

1 Like
9

The server is running openmediavault (debian)

10

Hmm no experience with OMV here, but since it's Debian I just assume it's iptables powered. On your server (241) run:

sudo iptables -S
1 Like
11

Thanks for the help.

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-94c997f395fb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-94c997f395fb -j DOCKER
-A FORWARD -i br-94c997f395fb ! -o br-94c997f395fb -j ACCEPT
-A FORWARD -i br-94c997f395fb -o br-94c997f395fb -j ACCEPT
-A FORWARD -o br-7694e77e0afa -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7694e77e0afa -j DOCKER
-A FORWARD -i br-7694e77e0afa ! -o br-7694e77e0afa -j ACCEPT
-A FORWARD -i br-7694e77e0afa -o br-7694e77e0afa -j ACCEPT
-A FORWARD -o br-614cfaa2b425 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-614cfaa2b425 -j DOCKER
-A FORWARD -i br-614cfaa2b425 ! -o br-614cfaa2b425 -j ACCEPT
-A FORWARD -i br-614cfaa2b425 -o br-614cfaa2b425 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -o br-e3e5388bcfa8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e3e5388bcfa8 -j DOCKER
-A FORWARD -i br-e3e5388bcfa8 ! -o br-e3e5388bcfa8 -j ACCEPT
-A FORWARD -i br-e3e5388bcfa8 -o br-e3e5388bcfa8 -j ACCEPT
-A FORWARD -o br-b468dbcc584e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b468dbcc584e -j DOCKER
-A FORWARD -i br-b468dbcc584e ! -o br-b468dbcc584e -j ACCEPT
-A FORWARD -i br-b468dbcc584e -o br-b468dbcc584e -j ACCEPT
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-94c997f395fb -o br-94c997f395fb -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-614cfaa2b425 -o br-614cfaa2b425 -p tcp -m tcp --dport 51413 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-614cfaa2b425 -o br-614cfaa2b425 -p udp -m udp --dport 51413 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-614cfaa2b425 -o br-614cfaa2b425 -p tcp -m tcp --dport 9091 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-e3e5388bcfa8 -o br-e3e5388bcfa8 -p tcp -m tcp --dport 8096 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.22.0.3/32 ! -i br-7694e77e0afa -o br-7694e77e0afa -p tcp -m tcp --dport 440 -j ACCEPT
-A DOCKER -d 172.22.0.3/32 ! -i br-7694e77e0afa -o br-7694e77e0afa -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.22.0.3/32 ! -i br-7694e77e0afa -o br-7694e77e0afa -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.26.0.2/32 ! -i br-b468dbcc584e -o br-b468dbcc584e -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-94c997f395fb ! -o br-94c997f395fb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7694e77e0afa ! -o br-7694e77e0afa -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-614cfaa2b425 ! -o br-614cfaa2b425 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e3e5388bcfa8 ! -o br-e3e5388bcfa8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b468dbcc584e ! -o br-b468dbcc584e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-94c997f395fb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7694e77e0afa -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-614cfaa2b425 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e3e5388bcfa8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b468dbcc584e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
12

This part tells me you're running Docker and port 443 is not mapped in your container, while port 80 is. So the port forward in OpenWRT probably works, and your server is listening to 443 but it goes no where.

You're one or two commands away from fixing your problem. Your goal is to open port 443 on your server. How to do this totally depends on your configuration. nginx-proxy-manager also run in a docker container right?

Unfortunately, it's 2 AM here so it's really bedtime for me. If I get a response before I hop in bed I might respond with a the command which is your solution.

1 Like
13

Hey get some sleep I appreciate the help though! nginx-proxy-manager does also run in a docker and as per the docker compose file I used these are the ports used 443:440 80:80 82:81

14

You wrote that file yourself? So Docker the docker composer file has two components regarding ports, the expose section and the port section. Expose only exposes ports to the container network but not the host itself. The relevant section is port, which is exposed to the host. The syntax is host:container, so port 443 is mapped to port 440 of your container running nginx-proxy-manager.

I'm not familiar with nginx-proxy-manager, but this is an example composer file given by the nginx-proxy-manager website:

version: '3'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
  db:
    image: 'jc21/mariadb-aria:10.4'
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - ./data/mysql:/var/lib/mysql

So the ports are just mapped one on one (443:443, 80:80, 81:81). You need to fix that, because your composer file indicates that 1) you've changed the listening port to 440 instead of the default 443 in the docker container, and 2) want to reach the admin interface on port 82 instead of the default 81 from the outside. Is this correct? If you didn't do this, change them to the default settings.

Edit: realized i said some gibberish things in my previous post misinterpreting the iptables output, my bad it's late hehe. The point still remains the same.

15

I followed directions from here https://dbtechreviews.com/2020/06/install-nginx-proxy-manager-on-a-raspberry-pi-4/

16

That's weird. Since it's using the original source files, I'm 100% sure it's an error written by the author of that article.

Change the ports in your composer file to

      - '80:80'
      - '81:81'
      - '443:443'

And you're ready to go.

Edit: The following comment seems to acknowledge my observation.

Hey brother,
Fantastic walkthrough. I think there may be a typo in the config file (a final bracket missing at the bottom) and also the port numbers in the .yml file. I had to change them to 81:81 instead of 82:81 and 443:443 instead of 443:440 for the admin page to load up and I'm not sure what it is that specifically fixed it. Just a thought man. Keep up the amazing work!

So please note that guy saying there is a missing bracket in config.json - which is also a correct observation.

1 Like
17

I knew about the missing bracket and was able to fix that earlier but after changing the docker ports still no luck.

18

Repeat iptables command, confirm the container and the application are running on the server. Also repeat the NC command from another device in the same network.

Alternatively, delete the docker container and use a different guide hehe.

19

Actually, it now shows the port is open! Dude you are amazing thank you so much.. that compose file has caused me many headaches today

1 Like
20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.