cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
5.6 KiB
Omada Firewall Rules Review - Blockscout Tunnel Access
Date: $(date)
Issue: HTTP 502 from Blockscout via Cloudflare Tunnel
Blockscout: 192.168.11.140:80
Tunnel: VMID 102 (cloudflared on 192.168.11.x)
Overview
The Cloudflare tunnel route to Blockscout is configured correctly, but HTTP 502 errors suggest network connectivity issues. This document reviews Omada firewall rules that might be blocking access.
Current Configuration
Blockscout Network
- IP: 192.168.11.140
- Port: 80 (Nginx reverse proxy)
- VLAN: 11 (MGMT-LAN)
- Container: VMID 5000 on pve2 node
Cloudflare Tunnel
- Container: VMID 102 (cloudflared)
- Network: 192.168.11.0/24 (VLAN 11)
- Tunnel Route: explorer.d-bis.org → http://192.168.11.140:80
Firewall Rules Analysis
Default Policy (From ER605 Router Config)
WAN → LAN: Deny (default)
LAN → WAN: Allow (with NAT)
Inter-VLAN: Allow (for routing)
⚠️ Important: The default "WAN → LAN: Deny" policy may affect tunnel traffic depending on how Omada classifies the traffic.
Cloudflare Tunnel Traffic Flow
Internet → Cloudflare Edge → Cloudflare Tunnel (VMID 102) → Blockscout (192.168.11.140:80)
Since cloudflared (VMID 102) initiates the connection to Blockscout, this is LAN → LAN traffic (both on 192.168.11.0/24), which should be allowed by default.
Potential Blocking Issues
1. Port 80 Blocking Rules
Check for rules that block port 80:
Rule Type: Deny
Destination Port: 80
Protocol: TCP
Solution: Ensure no deny rules block port 80 for internal traffic.
2. Destination IP Restrictions
Check for rules blocking 192.168.11.140:
Rule Type: Deny
Destination IP: 192.168.11.140
Solution: Verify Blockscout IP is not blocked.
3. Inter-VLAN Routing Issues
If cloudflared and Blockscout are on different VLANs, check inter-VLAN routing rules.
Current Status: Both appear to be on VLAN 11 (192.168.11.0/24), so this should not be an issue.
4. Default Deny Policy Override
If a default deny policy is too restrictive, it may block legitimate internal traffic.
Required Firewall Rules
Rule 1: Allow Cloudflare Tunnel to Blockscout
Name: Allow Cloudflare Tunnel to Blockscout
Enable: ✓
Action: Allow
Direction: Forward
Protocol: TCP
Source IP: 192.168.11.0/24 (or specific cloudflared IP)
Destination IP: 192.168.11.140
Destination Port: 80
Priority: High (above deny rules)
Rule 2: Allow Internal Access to Blockscout
Name: Allow Internal to Blockscout HTTP
Enable: ✓
Action: Allow
Direction: Forward
Protocol: TCP
Source IP: 192.168.11.0/24
Destination IP: 192.168.11.140
Destination Port: 80, 4000
Priority: High
Verification Steps
1. Check Current Firewall Rules
In Omada Controller:
- Login: https://192.168.11.8:8043 (or your Omada controller URL)
- Navigate to: Settings → Firewall → Firewall Rules
- Review all rules for:
- Destination IP: 192.168.11.140
- Destination Port: 80
- Action: Deny or Block
2. Test Connectivity
# From cloudflared container (VMID 102)
ssh root@192.168.11.12 # or appropriate node
pct exec 102 -- curl -v http://192.168.11.140:80/health
# From any container on same network
curl -v http://192.168.11.140:80/health
3. Check Router Logs
In Omada Controller:
- Navigate to: Statistics → Logs → Firewall Logs
- Filter for:
- Destination IP: 192.168.11.140
- Port: 80
- Action: Deny or Block
Troubleshooting
Issue: HTTP 502 Bad Gateway
Possible Causes:
- ✅ DNS configured correctly
- ✅ Tunnel route configured correctly
- ⚠️ Firewall blocking internal traffic
- ⚠️ Blockscout not fully started
Diagnostic Steps
-
Test Internal Connectivity:
# From cloudflared container pct exec 102 -- curl http://192.168.11.140:80/health # Expected: JSON response or HTTP 200 # If fails: Firewall or network issue -
Check Blockscout Status:
pct exec 5000 -- docker ps | grep blockscout pct exec 5000 -- curl http://127.0.0.1:4000/api/v2/status -
Check Nginx Status:
pct exec 5000 -- systemctl status nginx pct exec 5000 -- curl http://127.0.0.1:80/health
Recommended Configuration
If Using Omada Controller API
Create/update firewall rules via API or manually:
{
"name": "Allow Cloudflare Tunnel to Blockscout",
"enable": true,
"action": "allow",
"protocol": "tcp",
"dstIp": "192.168.11.140",
"dstPort": "80",
"direction": "forward",
"priority": 100
}
Manual Configuration Steps
- Login to Omada Controller
- Navigate to: Settings → Firewall → Firewall Rules
- Create New Rule:
- Name: Allow Cloudflare Tunnel to Blockscout
- Action: Allow
- Direction: Forward
- Protocol: TCP
- Destination IP: 192.168.11.140
- Destination Port: 80
- Priority: High (ensure it's above any deny rules)
- Save and Apply
Summary
Key Points:
- Both cloudflared and Blockscout are on VLAN 11 (192.168.11.0/24)
- Default inter-VLAN routing should allow this traffic
- Check for specific deny rules blocking port 80 or destination IP
- Ensure allow rules have higher priority than deny rules
Next Steps:
- Review current Omada firewall rules
- Test internal connectivity (cloudflared → Blockscout)
- Add explicit allow rule if needed
- Verify Blockscout and Nginx are running
Last Updated: $(date)
Status: Review required - check Omada firewall rules for blocks