d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/docs/archive/completion/OMADA_FIREWALL_BLOCKSCOUT_REVIEW_COMPLETE.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

4.4 KiB
Raw Blame History

Omada Firewall Review - Blockscout Access Analysis

Date: $(date)
Issue: HTTP 502 from Blockscout via Cloudflare Tunnel
Diagnosis: "No route to host" error indicates firewall blocking

🔍 Diagnostic Results

Connection Test

From cloudflared container (VMID 102, IP: 192.168.11.7) to Blockscout:

curl http://192.168.11.140:80/health
# Result: curl: (7) Failed to connect to 192.168.11.140 port 80
# Error: "No route to host"

Analysis:

  • DNS configured correctly (explorer.d-bis.org → CNAME)
  • Tunnel route configured correctly (explorer.d-bis.org → http://192.168.11.140:80)
  • Network connectivity: BLOCKED ("No route to host" error)
  • Root cause: Omada firewall rules blocking traffic

📊 Network Topology

Component IP Address Network Status
Blockscout Container (VMID 5000) 192.168.11.140 192.168.11.0/24 Running
cloudflared Container (VMID 102) 192.168.11.7 192.168.11.0/24 Running
ER605 Router (Omada) 192.168.11.1 192.168.11.0/24 Running

Note: Both containers are on the same subnet, so traffic should be allowed by default unless firewall rules explicitly block it.

🔧 Manual Firewall Check Required

The Omada Controller API doesn't expose firewall rules via standard endpoints, so manual check is required:

Step 1: Login to Omada Controller

URL: https://192.168.11.8:8043

Credentials: Check .env file for:

  • OMADA_ADMIN_USERNAME (or OMADA_API_KEY)
  • OMADA_ADMIN_PASSWORD (or OMADA_API_SECRET)

Step 2: Navigate to Firewall Rules

  1. Click Settings (gear icon) in top-right
  2. Click Firewall in left sidebar
  3. Click Firewall Rules tab

Step 3: Check for Blocking Rules

Search for rules matching these criteria:

A. Destination IP Rules

  • Any rule with Destination IP = 192.168.11.140
  • Any rule with Destination IP = 192.168.11.0/24 and Action = Deny

B. Port 80 Rules

  • Any rule with Destination Port = 80 and Action = Deny
  • Any rule with Destination Port = all and Action = Deny

C. Default Deny Policies

  • Check bottom of rule list for default deny rules
  • Check for catch-all deny rules

Step 4: Review Rule Priority

Important: Rules are processed in priority order (high → low).

  • Allow rules must be ABOVE deny rules
  • If deny rules have higher priority than allow rules, traffic will be blocked

Required Firewall Rule

If no allow rule exists for Blockscout, create one:

Rule Configuration

Name: Allow Internal to Blockscout HTTP
Enable: ✓ Yes
Action: Allow
Direction: Forward
Protocol: TCP
Source IP: 192.168.11.0/24 (or leave blank for "Any")
Source Port: (leave blank for "Any")
Destination IP: 192.168.11.140
Destination Port: 80
Priority: High (must be above any deny rules)

Steps to Create Rule

  1. Click Add or Create Rule button
  2. Fill in the configuration above
  3. Set Priority: Drag rule to top of list, or set priority value higher than deny rules
  4. Click Save or Apply
  5. Wait for configuration to apply to router

📋 Troubleshooting Checklist

  • Login to Omada Controller (https://192.168.11.8:8043)
  • Navigate to Settings → Firewall → Firewall Rules
  • Check for deny rules blocking 192.168.11.140:80
  • Check rule priority order (allow rules above deny rules)
  • Create allow rule if missing
  • Set allow rule priority HIGH (above deny rules)
  • Save/apply configuration
  • Test connectivity: curl http://192.168.11.140:80/health from cloudflared container

🔍 Expected Behavior

Before Fix

# From cloudflared container (VMID 102)
pct exec 102 -- curl http://192.168.11.140:80/health
# Result: curl: (7) Failed to connect... No route to host

After Fix

# From cloudflared container (VMID 102)
pct exec 102 -- curl http://192.168.11.140:80/health
# Expected: HTTP 200 with JSON response

📝 Summary

Root Cause: Omada firewall rules are blocking traffic from cloudflared (192.168.11.7) to Blockscout (192.168.11.140:80).

Solution: Add explicit allow rule in Omada Controller firewall with high priority (above deny rules).

Action: Manual configuration required via Omada Controller web interface.

Last Updated: $(date)
Status: Manual firewall rule configuration required

Reference in New Issue View Git Blame Copy Permalink