Networks·41,411 discussions

Network routing problem

Tags: Networking, Networking

Hi,
I’m somewhat lost trying to get a Caddy web server working on my Raspberry Pi. I’ll start by describing my configuration. I have a Ubiquiti Dream Machine router, with four VLANs. The RPI is on VLAN 1 at 192.168.1.2 with the router at 192.168.1.1. The RPI has a virtual interface eth0-shim, which is a MACVlan bridge to VLAN 40 (192.168.1.3 & 192.168.40.2). VLAN 40 is a MACVlan docker network. All docker containers that use this network get their own MAC address, and look like any other device I connect to the network. This entire configuration is working fine. I can access all new containers that use the network from any of my other machines.

One of the containers is a Caddy reverse proxy web server. It uses Cloudflare certificates (not letsencrypt), and ssllabs is able to get them fine, giving the connection an ‘A’ rating. I’m not able to open port 80, just 443 for the server. I want all traffic on port 443 to go through Caddy.

If I go to yougetsignal.com and test port 443 with my WAN address, the port is open. If I use my Cloudflare CNAME served by Caddy, it says it is closed. I can’t seem to open it, and I’m not very good at debugging it.

Regarding debugging, tcpdump is available on the router, the RPI, and the docker containers. I haven’t been able to see any traffic at all come in from yougetsignal using the CNAME. I see the traffic when using the IP address.

The path to the Caddy server is: router -> RPI -> MACVlan Bridge -> Caddy container. I’m not able to decode the TLS traffic on the router, but I can on the RPI and Caddy container.

I seem to be confused whenever I with the firewall rules on the router. They never seem to work the way I’d expect. I can provide the firewall, static routes, and port forwarding for the router.

I’m looking for some high level guidance. Verbal description of how the routing, forwarding, and firewall should be configured on all relevant machines. I know this is a lot – I’d appreciate feedback on any piece of the puzzle. I’ve been struggling with this for quite a while – I’d really like to get past it.

Lot’s of information is available to anyone who wants it. I would have provided it as attachments, but that doesn’t seem to be an option. Any and all help would be great. Thanks.

Topic

Ugh….

In reply to Network routing problem

I spent a lot of time before posting anything. It’s a fairly complicated network configuration, and I knew it would be difficult to convey what I had done, and to provide the necessary details. Additionally, the problem area was large – I couldn’t seem to break it into smaller problems. Eventually I decided to spend the time to write it up. Embarrassingly, as soon as I asked for help, I found the problem.

To add to the fire, the issue was a dumb one. My ISP changed the WAN IP address. Once I switched to the correct address, everything worked fine.

Thanks to whoever had started looking at this issue. Glad it’s resolved, but wish it weren’t such a dumb resolution.

Next task is to automatically change addresses on my A record whenever my WAN address changes. Anyone know the right way to do that?

Routing problem

In reply to Network routing problem

To add to the fire, the issue was a dumb one. My ISP changed the WAN IP address. Once I switched to the correct address, everything worked fine.

[Author]

Replies