httpd behind linux modem/router

[PingPing]

I can't connect to my OpenBSD6.7 web server from the internet.

I've been using a Debian-based Nginx web server for some time now (a FriendlyElec ZeroPi). It sits behind my ISP's modem/router (Huawei HG533) and, using the modem/router's provided GUI, I've configured it to forward TCP traffic for ports 80 and 443 through to the Nginx server. Everything has been working fine.

I recently decided I'd like to replace Debian with OpenBSD so I installed the latter (v6.7) on a soekris net6501 I have. The latter works, LAN-side, without any problems. I can see the site from any of my LAN-side machines.

However, I can't get things to work WAN-side. I've re-congured the HG533 to forward the same TCP 80/443 traffic through to the IP address of my net6501 but I still can't see the web site from the internet. I can see it LAN-side but not WAN-side. All I did was change the IP address for the HG533's port forwarding. If I change the IP back to that of my Debian/Nginx machine, I can see its web site from the WAN. For some reason, when I change the IP to that of my OpenBSD/Httpd machine, I can't see its web site from the WAN.

I don't know what I'm doing wrong.

My OpenBSD/Httpd machine has a static IP.
I've configured my HG533 to forward tcp 80/443 to this static IP (again, the same config for my Debian/Nginx machine works without a problem).
My /etc/pf.conf is basic:

Code:

block all
pass proto { tcp udp } to port { ssh www }

I've even tried disabling pf (# pfctl -d) but that hasn't worked.
My /etc/httpd.conf is also very basic:

Code:

ext_ip="192.168.1.10"
server "default" {
  listen on $ext_ip port 80
}

I've spent the whole weekend just gone, trying to figure out what I'm doing wrong but I haven't been able to work it out, so I was hoping someone here could point out the error of my ways...

Cheers

[bsdun]

listen on $ext_ip port 80
should be
listen on $ext_if port 80

[PingPing]

Thanks but that makes no difference. I could be wrong, but I don't believe there are any restrictions on MACRO names.

[bsdun]

Try to specify a document root directory. Example:

Code:

ext_ip="192.168.1.10"
server "default" {
  listen on $ext_ip port 80
  root "/www"
}

Also check if httpd daemon is running.

[jggimi]

Welcome back!

If I understand what you've posted, you've swapped out a Debian server for an OpenBSD server. At the same time, you've also swapped webservers, from nginx to httpd(8). And, both the old and new servers were (are) behind your Huawei gateway device, and the only thing you've changed on the gateway was the address of the server on the local network.

Since you've seen the same results with and without PF active on the OpenBSD server, it appears to me you've already ruled out PF as a root cause of the problem.

I'd want to be sure that packets are being properly forwarded by the Huawei gateway, and returning. To confirm this, I'd use tcpdump(8) on the OpenBSD server to monitor traffic. Something like # tcpdump -neti <interface> port 80 will clarify whether there are any HTTP packets being received by the OS. If no packets are being forwarded, you know the source of the problem is outside the OS.

[PingPing]

Thanks jggimi. It's been a while - 5 years, in fact.

Yes. you've got my set-up correct. And I did try tcpdump but, I haven't had time to figure out what the results mean (I still have my day job to do ). Here's the output...

Code:

soekris$ tcpdump -r tcp.dump | grep www 
08:35:59.252982 82.132.229.232.38698 > 192.168.1.10.www: SWE 3454133929:3454133929(0) win 8190 <mss 1356,nop,wscale 8,nop,nop,sackOK>
08:36:00.253468 82.132.229.232.38698 > 192.168.1.10.www: SWE 3454133929:3454133929(0) win 8190 <mss 1356,nop,wscale 8,nop,nop,sackOK>
08:36:02.263557 82.132.229.232.38698 > 192.168.1.10.www: S 3454133929:3454133929(0) win 8190 <mss 1356,nop,wscale 8,nop,nop,sackOK>

I've figured out that 82.132.229.232 is/was the ip of my mobile phone (ie. WAN-side) as it's the same when I forwarded my HG533 to my Debian/Nginx server and took a tcpdump on there. I also see more 'www' lines on Debian/Nginx - probably because the site works.

My tcp-fu is non-existent so I'm clueless as to how to interpret these results. Any ideas?

[jggimi]

I don't know what filters -- if any -- were used to create the file tcp.dump. Assuming none (e.g.: # tcpdump -w tcp.dump) I can see that your gateway is forwarding packets, but there is no response.

You have stated that the httpd(8) server is responding to local requests but not remote. An error in provisioning TCP/IP (/etc/hostname.<if>) would most likely cause local problems as well as remote, but I would still double-check your static IP addressing -- you may have missed a typo. Look for a mistake in netmask or CIDR, not just the IP address.

Lastly, since you haven't shared your $ ifconfig output with us, be sure you don't have two NICs on the same subnet. Unless there is a special-case pseudo-NIC designed for it -- such as carp(4) or trunk(4) -- two NICs cannot be attached to the same subnet.

[PingPing]

Code:

double-check your static IP addressing

'Bang on the money, yet again, jggimi.
If I switch back to dhcp, it works!

Maybe there is something wrong with my static IP set up, but I've read through the man pages for hostname.if(5) and ifconfig(8) and my config looks okay to me:

Code:

$ cat /etc/hostname.em0
#dhcp

inet 192.168.1.10 255.255.255.0 192.168.1.255 description "This one is connected to the HG533."

Do you have any further ideas? Is there something else that dhcp does that's not in my static ip config?

FYI, here's my ifconfig:

Code:

$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
	index 14 priority 0 llprio 3
	groups: lo
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xe
	inet 127.0.0.1 netmask 0xff000000
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
	lladdr 00:00:24:d1:21:78
	description: This one is connected to the HG533.
	index 1 priority 0 llprio 3
	groups: egress
	media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
	status: active
	inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d1:21:79
	index 2 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d1:21:7a
	index 3 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d1:21:7b
	index 4 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em4: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:e0:30
	index 5 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em5: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:e0:31
	index 6 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em6: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:e0:32
	index 7 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em7: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:e0:33
	index 8 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em8: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:df:50
	index 9 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em9: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:df:51
	index 10 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em10: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:df:52
	index 11 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em11: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:00:24:d0:df:53
	index 12 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
enc0: flags=0<>
	index 13 priority 0 llprio 3
	groups: enc
	status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
	index 15 priority 0 llprio 3
	groups: pflog

[jggimi]

I'll bet you're missing a default route. Static IP addressing needs a mygate(5) file.

[PingPing]

Quote:

Originally Posted by jggimi

I'll bet you're missing a default route. Static IP addressing needs a mygate(5) file.

Bingo!

That was it. I didn't have one. I've added one and now everything is working.
Check it out: hammondmason.com

Thanks for your help, jggimi.