#!/usr/bin/env bash # Check Omada firewall rules for Blockscout access # Blockscout: 192.168.11.140:80 # Cloudflare tunnel: VMID 102 (cloudflared) set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ENV_FILE="${ENV_FILE:-$SCRIPT_DIR/../.env}" BLOCKSCOUT_IP="192.168.11.140" BLOCKSCOUT_PORT="80" CLOUDFLARED_IP="192.168.11.12" # VMID 102 - approximate, adjust as needed # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } log_error() { echo -e "${RED}[ERROR]${NC} $1"; } log_section() { echo -e "${CYAN}════════════════════════════════════════${NC}"; } log_section log_info "Omada Firewall Rules Check for Blockscout" log_section echo "" log_info "Blockscout IP: $BLOCKSCOUT_IP" log_info "Blockscout Port: $BLOCKSCOUT_PORT" log_info "Tunnel Container: VMID 102 (cloudflared)" echo "" # Load environment variables if [ -f "$ENV_FILE" ]; then source "$ENV_FILE" fi # Check for Omada credentials OMADA_URL="${OMADA_CONTROLLER_URL:-}" OMADA_API_KEY="${OMADA_API_KEY:-}" if [ -z "$OMADA_URL" ] || [ -z "$OMADA_API_KEY" ]; then log_warn "Omada credentials not found in .env" log_info "Expected variables:" log_info " OMADA_CONTROLLER_URL=https://192.168.11.8:8043" log_info " OMADA_API_KEY=your-api-key" echo "" log_info "Manual Check Required:" log_info " 1. Login to Omada Controller: $OMADA_URL" log_info " 2. Navigate to: Settings → Firewall → Firewall Rules" log_info " 3. Check for rules blocking:" log_info " - Source: Any → Destination: $BLOCKSCOUT_IP" log_info " - Port: $BLOCKSCOUT_PORT (HTTP)" log_info " - Direction: WAN → LAN or Forward" echo "" log_section log_info "Expected Firewall Rules for Blockscout" log_section echo "" log_info "Required Rules (should be ALLOW):" echo "" echo " 1. Cloudflare Tunnel → Blockscout" echo " Source: Cloudflare IP ranges OR Internal (192.168.11.0/24)" echo " Destination: $BLOCKSCOUT_IP" echo " Port: $BLOCKSCOUT_PORT" echo " Protocol: TCP" echo " Action: Allow" echo "" echo " 2. Internal Access (if needed)" echo " Source: 192.168.11.0/24" echo " Destination: $BLOCKSCOUT_IP" echo " Port: $BLOCKSCOUT_PORT, 4000" echo " Protocol: TCP" echo " Action: Allow" echo "" log_warn "Potential Issues:" echo "" echo " ⚠️ Default WAN → LAN: Deny policy may block tunnel traffic" echo " ⚠️ Port 80 blocking rules" echo " ⚠️ Destination IP restrictions" echo " ⚠️ Inter-VLAN routing restrictions" echo "" exit 0 fi log_info "Omada credentials found, attempting to query firewall rules..." log_warn "API-based firewall rule query not fully implemented" log_info "Please check firewall rules manually in Omada Controller" echo "" log_section log_info "Manual Firewall Rules Check" log_section log_info "Steps to check in Omada Controller:" echo "" echo "1. Login to Omada Controller: $OMADA_URL" echo "2. Navigate to: Settings → Firewall → Firewall Rules" echo "3. Review all rules, especially:" echo "" echo " a. Rules with destination = $BLOCKSCOUT_IP" echo " b. Rules with port = $BLOCKSCOUT_PORT (HTTP)" echo " c. Rules with direction = 'WAN → LAN' or 'Forward'" echo " d. Default deny policies" echo "" log_warn "Key Things to Check:" echo "" echo " ✓ Is there a rule allowing Cloudflare tunnel traffic?" echo " ✓ Is port 80 blocked by any deny rules?" echo " ✓ Is there a default deny policy blocking WAN → LAN?" echo " ✓ Are inter-VLAN rules blocking internal communication?" echo "" log_section log_info "Recommended Firewall Rules" log_section cat <<'EOF' Rule 1: Allow Cloudflare Tunnel to Blockscout ---------------------------------------------- Name: Allow Cloudflare Tunnel to Blockscout Enable: ✓ Action: Allow Direction: Forward Protocol: TCP Source IP: Any (or Cloudflare IP ranges if specified) Destination IP: 192.168.11.140 Destination Port: 80 Priority: High (above deny rules) Rule 2: Allow Internal Access to Blockscout -------------------------------------------- Name: Allow Internal to Blockscout Enable: ✓ Action: Allow Direction: Forward Protocol: TCP Source IP: 192.168.11.0/24 Destination IP: 192.168.11.140 Destination Port: 80, 4000 Priority: High Rule 3: Verify Default Policy ------------------------------ Default WAN → LAN: Should be Deny (for security) BUT: Tunnel traffic should be allowed via specific rule above EOF echo "" log_info "If rules are correctly configured and traffic is still blocked:" echo " 1. Check rule priority (allow rules must be above deny rules)" echo " 2. Check for conflicting rules" echo " 3. Verify VLAN routing is enabled" echo " 4. Check router logs for blocked connection attempts" echo ""