d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/docs/archive/completion/BLOCKSCOUT_FIREWALL_FIX_COMPLETE.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

163 lines
4.5 KiB
Markdown
Raw Blame History

# Blockscout Firewall Fix - Complete Summary
**Date**: $(date)
**Status**: 🔧 Manual Action Required - Firewall Rule Configuration
---
## ✅ Completed Tasks
### 1. Infrastructure Setup
- ✅ Blockscout container (VMID 5000) deployed on pve2
- ✅ Nginx reverse proxy installed and configured
- ✅ SSL certificates generated
- ✅ Docker Compose services running
- ✅ PostgreSQL database configured
### 2. Cloudflare Configuration
- ✅ DNS Record: `explorer.d-bis.org` → CNAME to Cloudflare Tunnel
- ✅ Tunnel Route: `explorer.d-bis.org``http://192.168.11.140:80`
- ✅ Cloudflare Tunnel (VMID 102) running
### 3. Diagnostic & Analysis
- ✅ Identified root cause: Firewall blocking traffic
- ✅ Diagnosed "No route to host" error
- ✅ Created diagnostic scripts
- ✅ Created Omada Controller access scripts
---
## ❌ Remaining Issue
### Firewall Rule Configuration
**Problem**: Omada firewall is blocking traffic from cloudflared container (192.168.11.7) to Blockscout (192.168.11.140:80)
**Error**: `curl: (7) Failed to connect to 192.168.11.140 port 80: No route to host`
**Status**: HTTP 502 Bad Gateway when accessing `https://explorer.d-bis.org`
---
## 🔧 Required Action
### Configure Omada Firewall Rule
**Step 1: Access Omada Cloud Controller**
Option A: Via Cloud Controller (Recommended)
```
URL: https://omada.tplinkcloud.com
Login: Use TP-Link ID credentials (or admin credentials from .env)
```
Option B: Via Local Controller
```
URL: https://192.168.11.8:8043
Login: Use admin credentials from .env (OMADA_ADMIN_USERNAME / OMADA_ADMIN_PASSWORD)
```
Quick access helper:
```bash
bash scripts/access-omada-cloud-controller.sh
```
**Step 2: Navigate to Firewall Rules**
1. Click **Settings** (gear icon)
2. Click **Firewall** in left sidebar
3. Click **Firewall Rules** tab
**Step 3: Create Allow Rule**
Create a new firewall rule with these settings:
```
Name: Allow Internal to Blockscout HTTP
Enable: ✓ Yes
Action: Allow
Direction: Forward
Protocol: TCP
Source IP: 192.168.11.0/24 (or leave blank for "Any")
Source Port: (leave blank for "Any")
Destination IP: 192.168.11.140
Destination Port: 80
Priority: High (must be above any deny rules)
```
**Important**:
- ✅ Ensure the rule has **HIGH priority** (above deny rules)
- ✅ Drag the rule to the top of the list if needed
- ✅ Rules are processed in priority order (high → low)
**Step 4: Save and Apply**
- Click **Save** or **Apply**
- Wait for configuration to apply (may take a few seconds)
---
## 🧪 Verification
After configuring the firewall rule, run:
```bash
# Comprehensive check
bash scripts/complete-blockscout-firewall-fix.sh
# Or manual test
ssh root@192.168.11.10 "ssh pve2 'pct exec 102 -- curl http://192.168.11.140:80/health'"
# Test external access
curl https://explorer.d-bis.org/health
```
**Expected Results:**
- Internal test: HTTP 200 (not "No route to host")
- External test: HTTP 200 (not 502 Bad Gateway)
---
## 📊 Current Network Topology
| Component | IP Address | Network | Status |
|-----------|------------|---------|--------|
| Blockscout Container (VMID 5000) | 192.168.11.140 | 192.168.11.0/24 | ✅ Running |
| cloudflared Container (VMID 102) | 192.168.11.7 | 192.168.11.0/24 | ✅ Running |
| ER605 Router (Omada) | 192.168.11.1 | 192.168.11.0/24 | ✅ Running |
**Note**: Both containers are on the same subnet. Traffic should be allowed by default, but an explicit deny rule or restrictive default policy is blocking it.
---
## 📝 Scripts Created
### Diagnostic Scripts
- `scripts/complete-blockscout-firewall-fix.sh` - Comprehensive connectivity check
- `scripts/query-omada-firewall-blockscout-direct.js` - Attempts API query (limited)
### Access Helper Scripts
- `scripts/access-omada-cloud-controller.sh` - Helper for cloud controller access
---
## 📚 Documentation
- `docs/OMADA_CLOUD_ACCESS_SUMMARY.md` - Quick access guide
- `docs/OMADA_CLOUD_CONTROLLER_FIREWALL_GUIDE.md` - Detailed firewall configuration guide
- `docs/OMADA_FIREWALL_BLOCKSCOUT_REVIEW_COMPLETE.md` - Complete analysis
- `docs/BLOCKSCOUT_FIREWALL_FIX_COMPLETE.md` - This document
---
## 🎯 Summary
**Completed**: Infrastructure setup, Cloudflare configuration, diagnostics
**Pending**: Manual firewall rule configuration via Omada Controller web interface
**Next Step**: Access Omada Controller and create the allow rule as specified above
**Expected Outcome**: Blockscout accessible at https://explorer.d-bis.org after firewall rule is configured
---
**Last Updated**: $(date)
**Status**: Ready for manual firewall configuration
Reference in New Issue View Git Blame Copy Permalink