Network routing problem
I’m somewhat lost trying to get a Caddy web server working on my Raspberry Pi. I’ll start by describing my configuration. I have a Ubiquiti Dream Machine router, with four VLANs. The RPI is on VLAN 1 at 192.168.1.2 with the router at 192.168.1.1. The RPI has a virtual interface eth0-shim, which is a MACVlan bridge to VLAN 40 (192.168.1.3 & 192.168.40.2). VLAN 40 is a MACVlan docker network. All docker containers that use this network get their own MAC address, and look like any other device I connect to the network. This entire configuration is working fine. I can access all new containers that use the network from any of my other machines.
One of the containers is a Caddy reverse proxy web server. It uses Cloudflare certificates (not letsencrypt), and ssllabs is able to get them fine, giving the connection an ‘A’ rating. I’m not able to open port 80, just 443 for the server. I want all traffic on port 443 to go through Caddy.
If I go to yougetsignal.com and test port 443 with my WAN address, the port is open. If I use my Cloudflare CNAME served by Caddy, it says it is closed. I can’t seem to open it, and I’m not very good at debugging it.
Regarding debugging, tcpdump is available on the router, the RPI, and the docker containers. I haven’t been able to see any traffic at all come in from yougetsignal using the CNAME. I see the traffic when using the IP address.
The path to the Caddy server is: router -> RPI -> MACVlan Bridge -> Caddy container. I’m not able to decode the TLS traffic on the router, but I can on the RPI and Caddy container.
I seem to be confused whenever I with the firewall rules on the router. They never seem to work the way I’d expect. I can provide the firewall, static routes, and port forwarding for the router.
I’m looking for some high level guidance. Verbal description of how the routing, forwarding, and firewall should be configured on all relevant machines. I know this is a lot – I’d appreciate feedback on any piece of the puzzle. I’ve been struggling with this for quite a while – I’d really like to get past it.
Lot’s of information is available to anyone who wants it. I would have provided it as attachments, but that doesn’t seem to be an option. Any and all help would be great. Thanks.