Nextcloud Iocage and PfSense

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
I am setting up PfSense as a firewall. I cannot get it to see my Nextcloud Jail, which has IP of 192.168.1.36 on Vnet0.
I'd also like to know what rule to write so that the reverse proxy from AWS routes to Nextclould through PfSense.
Any help would be appreciated.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
I can't really help you with the AWS stuff. I've never done the Amazon thing

So describe your setup. You have reverse proxy located on AWS that is proxying to your nextcloud jail running on Freenas on LAN behind your Pfsense?

What is not seeing your Nextcloud Jail? Your pfSense installation?
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
KevDog, that's right - my pfSense install is not seeing the the Nextcloud jail, which has IP of 192.168.1.36 on Vnet0. The DHCP service sees the Freenas box, Plex (which is set up for DHCP), but not the Nexctloud box which has it's assigned IP.
The AWS reverse proxies to my LAN. On the previous router I had a port forward rule setup to direct it to the Nextcloud. Basically it just forwarded 80/443 inbound traffic to the Nextcloud.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
my pfSense install is not seeing the the Nextcloud jail
In what way do you expect your router to "see" a device with a static IP address?
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
The previous router could 'see' the Freenas Server and it's two jails. The Freenas Server had a static ip and so did Nextclould in the Jail.
I set up pfSense with DHCP and gave Freenas a static mapping, Plex is fine with DHCP, but I need to give Nexcloud a static mapping, but it's not showing up on this LAN. Does this make sense?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I need to give Nexcloud a static mapping, but it's not showing up on this LAN. Does this make sense?
Not much, really. The jail has a MAC address, so if you want to set it up with a static DHCP mapping, you can do that under Services -> DHCP Server, and click Add under the Static Mappings. Enter the MAC address, desired IP address, and hostname etc. and you're fine. Alternatively, leave the jail set to a static IP, and set up that hostname/IP as a host override under either the DNS Resolver or DNS Forwarder service (whichever you're using). Either of those will let you resolve the hostname to that jail on your LAN. But I don't think of any way that my pfSense router "sees" devices on my network with static IP addresses--at least in a way that's exposed through the GUI.
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
Not much, really. The jail has a MAC address, so if you want to set it up with a static DHCP mapping, you can do that under Services -> DHCP Server, and click Add under the Static Mappings. Enter the MAC address, desired IP address, and hostname etc. and you're fine. Alternatively, leave the jail set to a static IP, and set up that hostname/IP as a host override under either the DNS Resolver or DNS Forwarder service (whichever you're using). Either of those will let you resolve the hostname to that jail on your LAN. But I don't think of any way that my pfSense router "sees" devices on my network with static IP addresses--at least in a way that's exposed through the GUI.
Ok, poor choice of words. I tried the static DHCP mapping, getting the MAC address from the Jail, and that did not work - I'm wondering if it's because it's on a Vnet.
 
Last edited:

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Ok first of all you need to give some more information -- it would really help out
#1) From a pfSense shell can you ping the jail?
#2) From the FreeNAS main installation can you ping the jail
#3) Vice versa - can you ping pfSense and FreeNAS from the jail

Could you post ifconfig from the jail, and FreeNAS. I don't understand which machine is able to reach which machine right now -- that would help to narrow down whether its a problem between FreeNAS and pfsense, FreeNAS and jail, jail and pfsense
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,449
@nic_greene,
Are you setting up Haproxy to map your domain name to your Nextcloud jail IP?
Also, are you using Danb35 script running Caddy?
If so the problem might be with the Haproxy check inability to interogate Caddy.

Unless yu set your jail to get IP address via DHCP, pfsense is not going to know about it. It might though, but on my end, static IP do not advertise themselves to pfsense.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
@Apollo - Did I miss something -- where did Haproxy come into the description?
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,449
@KevDog, It didn't but because I use Haproxy to service my jails, I thought this is something the OP haven't mentioned or isn't aware of.
He is however asking about reverse proxying which is what Haproxy is designed to do.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
@Apollo - I think he's using Nginx. However if you'd like to give me an Haproxy tutorial I'd like it. I tried to use the Haproxy module built into Pfsense. -- it kept periodically having problems connecting to the backend. I've had more luck personally with use Nginx and even Apache as the reverse proxy.
 

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,449
@Apollo - I think he's using Nginx. However if you'd like to give me an Haproxy tutorial I'd like it. I tried to use the Haproxy module built into Pfsense. -- it kept periodically having problems connecting to the backend. I've had more luck personally with use Nginx and even Apache as the reverse proxy.
I'll see what I can do, but the major headache about Haproxy or pfsense is that if pfsense/haproxy isn't able to check the status of the backend, it will just not forward the data to the backend. I think it is a safety measure to prevent down servers for being redirected internally, such as being redirected to Freenas.
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
Ok first of all you need to give some more information -- it would really help out
Nextcloud Mac from Freenas.png

Pfsense DHCP Leases.png

#1) From a pfSense shell can you ping the jail?
Ping PfSense to Nextcloud.png

#2) From the FreeNAS main installation can you ping the jail
Ping Freenas to Nextcloud.png

#3) Vice versa - can you ping pfSense and FreeNAS from the jail
Ping Nextcloud to PfSense.png


Ping Nextcloud to Freenas.png

Could you post ifconfig from the jail, and FreeNAS.

From Jail:
ifconfig Nextcloud.png


From Freenas
Ifconfig Freenas Root.png

ifconfig Freenas Root 2.png

ifconfig Freenas Root 3.png
@Apollo I have a reverse Proxy from AWS for the Nextcloud Jail, it has been up and operational for months through Route 53.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Ok from what you've posted things look good.

What exactly is the problem? If pfsense can ping the jail then it appears to be routable.
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
@KevDog Yes I know, it's weird. But does it matter that it does not appear online here?:

Pfsense DHCP Leases.png

However, if it doesn't matter as above, then how do I set up rules to route to Nextcloud from my reverse proxy? The documentation for pfsense is a little confusing - basically I need to port forward to Nextcloud, so I need to figure out the WAN IP (for AWS) and then set a rule for the traffic to reach Nextcloud. How would I do that, or please suggest a good basic primer.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
I don't think it matters, however if that table really bugs you -- you could do the following

#1 - Within your pfsense DHCP server - (Services->DHCP Server) --> Scroll to bottom of page on selected LAN under DHCP Static Mappings for this Interface. Add a reserved IP address for the Nextcloud based on the MAC address. The MAC address of the jail can be found within Freenas Interface Under Jails->(Select Jail)->Network Properties and then look for vnet0_mac -- Its the second value in the column -- or you could find the MAC address from within the jail itself with the ifconfig statement and look at the ether field.
#2 - You could then optionally keep your DHCP static settings the same for the FreeNAS jail or set it to DHCP Autoconfigure IPV4 if you want pfsense to explicitly assign it an IP address from its reserved pool


I'm not sure exactly about the AWS part, however you need to then set a NAT and firewall rule within pfSense. NATs going to do port forwarding (for specific Nextcloud ports (would this be like 80/443 -- maybe others -- not sure) and then you're going to have to add a firewall rule under WAN - allow either from * or from specific AWS address to Destination Nextcloud server IP address and list ports.
 

nic_greene

Dabbler
Joined
Sep 5, 2015
Messages
41
I'm not sure exactly about the AWS part, however you need to then set a NAT and firewall rule within pfSense. NATs going to do port forwarding (for specific Nextcloud ports (would this be like 80/443 -- maybe others -- not sure) and then you're going to have to add a firewall rule under WAN - allow either from * or from specific AWS address to Destination Nextcloud server IP address and list ports.

Thanks @KevDog

Like this?
Screen Shot 2020-02-14 at 11.46.57 AM.png

Screen Shot 2020-02-14 at 11.47.10 AM.png
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
Like this?
No. You have ports 80 through 443 forwarded to your jail. That's bad. Set up an individual port forward for 80 and 443 separately.
 
Top