rb5009 trying to use traefik as reverse proxy, nothing gets through.

Solnse · Sun Mar 26, 2023 11:38 pm

I'm somewhat new here and I just got a couple rb5009's that I'd like to set up so that I can route to various services. I've got a raspberry pi with docker running traefik, pihole, unbound, and unifi controller for my access points. I followed a very simple guide to get traefik up and running and am supposed to have access to the dashboard. However, when I try to go to it, I get a 522 error (server connected but failed to complete) via cloudflare where I have the domain DNS management.

I suspect that my initial rb5009 firewall rules or nat is ignoring the requests since it's setup to ignore anything not coming from the LAN. I'm not really sure how to make the exception for 80 and 443 and have it sent to the raspberry pi where traefik can pick it up. I've read through a lot of forum posts, the mikrotik docs on firewall and nat, and a ton of google results but it made me overwhelmed and confused. I'm an application developer, not much of a network or infrastructure guy. Any advice is greatly appreciated.

ip/firewall/filter:

[admin@MikroTik] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

and ip/firewall/nat: which are mostly disabled right now but intended to force all the traffic through the pihole once I have it up and running again.

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1 X  chain=dstnat action=dst-nat to-addresses=192.168.88.107 protocol=udp src-address=!192.168.88.107 
      dst-address=!192.168.88.107 dst-port=53 log=no log-prefix="" 

 2 X  chain=dstnat action=dst-nat to-addresses=192.168.88.107 protocol=tcp src-address=!192.168.88.107 
      dst-address=!192.168.88.107 dst-port=53 log=no log-prefix="" 

 3 X  chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.107 
      dst-port=53 log=no log-prefix="" 

 4 X  chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.107 
      dst-port=53 log=no log-prefix=""

Solnse · Mon Mar 27, 2023 12:41 am

I've tried adding this rule in the beginning but still no go.

 1    chain=forward action=accept connection-nat-state=srcnat protocol=tcp src-address=174.160.xxx.xxx
      dst-address=192.168.88.107 in-interface-list=WAN src-port=80 dst-port=80 log=no log-prefix="

rb5009 trying to use traefik as reverse proxy, nothing gets through.

rb5009 trying to use traefik as reverse proxy, nothing gets through.

Re: rb5009 trying to use traefik as reverse proxy, nothing gets through.

Who is online