d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/archive/completion/BLOCKSCOUT_FIREWALL_FIX_COMPLETE.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

4.5 KiB
Raw Permalink Blame History

Blockscout Firewall Fix - Complete Summary

Date: $(date)
Status: 🔧 Manual Action Required - Firewall Rule Configuration

Completed Tasks

1. Infrastructure Setup

  • Blockscout container (VMID 5000) deployed on pve2
  • Nginx reverse proxy installed and configured
  • SSL certificates generated
  • Docker Compose services running
  • PostgreSQL database configured

2. Cloudflare Configuration

  • DNS Record: explorer.d-bis.org → CNAME to Cloudflare Tunnel
  • Tunnel Route: explorer.d-bis.orghttp://192.168.11.140:80
  • Cloudflare Tunnel (VMID 102) running

3. Diagnostic & Analysis

  • Identified root cause: Firewall blocking traffic
  • Diagnosed "No route to host" error
  • Created diagnostic scripts
  • Created Omada Controller access scripts

Remaining Issue

Firewall Rule Configuration

Problem: Omada firewall is blocking traffic from cloudflared container (192.168.11.7) to Blockscout (192.168.11.140:80)

Error: curl: (7) Failed to connect to 192.168.11.140 port 80: No route to host

Status: HTTP 502 Bad Gateway when accessing https://explorer.d-bis.org

🔧 Required Action

Configure Omada Firewall Rule

Step 1: Access Omada Cloud Controller

Option A: Via Cloud Controller (Recommended)

URL: https://omada.tplinkcloud.com
Login: Use TP-Link ID credentials (or admin credentials from .env)

Option B: Via Local Controller

URL: https://192.168.11.8:8043
Login: Use admin credentials from .env (OMADA_ADMIN_USERNAME / OMADA_ADMIN_PASSWORD)

Quick access helper:

bash scripts/access-omada-cloud-controller.sh

Step 2: Navigate to Firewall Rules

  1. Click Settings (gear icon)
  2. Click Firewall in left sidebar
  3. Click Firewall Rules tab

Step 3: Create Allow Rule

Create a new firewall rule with these settings:

Name: Allow Internal to Blockscout HTTP
Enable: ✓ Yes
Action: Allow
Direction: Forward
Protocol: TCP
Source IP: 192.168.11.0/24 (or leave blank for "Any")
Source Port: (leave blank for "Any")
Destination IP: 192.168.11.140
Destination Port: 80
Priority: High (must be above any deny rules)

Important:

  • Ensure the rule has HIGH priority (above deny rules)
  • Drag the rule to the top of the list if needed
  • Rules are processed in priority order (high → low)

Step 4: Save and Apply

  • Click Save or Apply
  • Wait for configuration to apply (may take a few seconds)

🧪 Verification

After configuring the firewall rule, run:

# Comprehensive check
bash scripts/complete-blockscout-firewall-fix.sh

# Or manual test
ssh root@192.168.11.10 "ssh pve2 'pct exec 102 -- curl http://192.168.11.140:80/health'"

# Test external access
curl https://explorer.d-bis.org/health

Expected Results:

  • Internal test: HTTP 200 (not "No route to host")
  • External test: HTTP 200 (not 502 Bad Gateway)

📊 Current Network Topology

Component IP Address Network Status
Blockscout Container (VMID 5000) 192.168.11.140 192.168.11.0/24 Running
cloudflared Container (VMID 102) 192.168.11.7 192.168.11.0/24 Running
ER605 Router (Omada) 192.168.11.1 192.168.11.0/24 Running

Note: Both containers are on the same subnet. Traffic should be allowed by default, but an explicit deny rule or restrictive default policy is blocking it.

📝 Scripts Created

Diagnostic Scripts

  • scripts/complete-blockscout-firewall-fix.sh - Comprehensive connectivity check
  • scripts/query-omada-firewall-blockscout-direct.js - Attempts API query (limited)

Access Helper Scripts

  • scripts/access-omada-cloud-controller.sh - Helper for cloud controller access

📚 Documentation

  • docs/OMADA_CLOUD_ACCESS_SUMMARY.md - Quick access guide
  • docs/OMADA_CLOUD_CONTROLLER_FIREWALL_GUIDE.md - Detailed firewall configuration guide
  • docs/OMADA_FIREWALL_BLOCKSCOUT_REVIEW_COMPLETE.md - Complete analysis
  • docs/BLOCKSCOUT_FIREWALL_FIX_COMPLETE.md - This document

🎯 Summary

Completed: Infrastructure setup, Cloudflare configuration, diagnostics
Pending: Manual firewall rule configuration via Omada Controller web interface
Next Step: Access Omada Controller and create the allow rule as specified above
Expected Outcome: Blockscout accessible at https://explorer.d-bis.org after firewall rule is configured

Last Updated: $(date)
Status: Ready for manual firewall configuration

Reference in New Issue View Git Blame Copy Permalink