Hi,
i had to change my router and trying to run again my reverse proxy. Old one needed just port forward and it was working. With mikrotik its not that easy and i need your help with that.
I managed to create destnat that sends incoming trafic for ports 80 and 443 with this NAT rule and see the packets incoming and iam able to reach Traefik via my domain but there my journey ends with traefik giving me error 404 page not found that means ist not possible to reach destination service.
As only thing changed is my router i assume its something there. I tried to create custom DNS records using Adguard and iam able to rech services in my local network but not from the internet.
So you have working dstnat rules and problem is that this traefik can’t reach something. What, where, how? Is it some internal domain name? What DNS servers does it use? Etc..
You may have exclude the Traefik proxy IP itself from the rule. Otherwise you can end up with a loop with Traefik getting redirected to itself by the firewall rules.
I have few docker containers running on the same device as traefik and some external devices that runs on other (NAS, HomeAssistant etc.) They are all reachable form within the local network by ip and port. Traefik itself shoul expose port 8080 where should be its dashboard, but it is also not possible to load (404 Error) and the container giving following errors:
2024-07-12T13:08:50Z ERR error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2024-07-12T13:08:50Z ERR 2024-07-12T13:08:50Z ERR error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2024-07-12T13:08:50Z ERR error="accept tcp [::]:80: use of closed network connection" entryPointName=http
2024-07-12T13:08:50Z ERR Error while starting server error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2024-07-12T13:08:50Z ERR error="close tcp [::]:80: use of closed network connection" entryPointName=http
2024-07-12T15:39:12Z ERR Error while Peeking first byte error="read tcp 172.18.0.14:8080->10.10.42.253:40170: i/o timeout"error="accept tcp [::]:80: use of closed network connection" entryPointName=http
2024-07-12T13:08:50Z ERR Error while starting server error="accept tcp [::]:443: use of closed network connection" entryPointName=https
2024-07-12T13:08:50Z ERR error="close tcp [::]:80: use of closed network connection" entryPointName=http
2024-07-12T15:39:12Z ERR Error while Peeking first byte error="read tcp 172.18.0.14:8080->10.10.42.253:40170: i/o timeout"
Here are the rules I use (adapted for your proxy IP), which ignore the traefik container’s IP from the dst-nat rules (otherwise the proxy with go back through the proxy because of NAT):
Well… it “works”. I did added those rules and iam able to connect to all of mine services from the internet. The strange part is that from the moment i enable those rules my router unleashes havoc and drops/reconnects internet… Why i wonder. But thanks for one step forward(?)
EDIT: its not internet just some local DNS probably problems because google search works and iam able to connect via internet from outside of my home network
EDIT 2: It seems to benow working i added in interface list WAN and now its works, probably got looped somewhere? Thanks a lot.
Yeah any proxy in a container get confusing in the firewall since you generally want all traffic inbound going to proxy, and outbound out of proxy going someplace OTHER than looping back itself. Whether that’s done with NAT rules or filters or just not using same dst ports inbound and outbound - it just needed to be treated differently somehow otherwise you’ll end up in loop.
With an additional factor depending on if proxy is going outbound to internet, as that likely a src-nat too if not already handled by some genetic WAN NAT rule. And/or the container VETH being a member of LAN interface-list, if proxying to internal host.
Basically you need a few firewall things to make it all work. The exact ones do get specific to what you’re proxying .
.