Proper way to expose services to the internet with Asus Merlin?

[GuardYaGrill]

This may sound like a dumb question however, i have a small server running on my network running Proxmox and the Docker Engine with PiHole, Invidious, SearX and couple more services all reverse proxied & ssl production certs via Traefik. I've been wanting to properly expose these services to the internet or at minimum to my work/friends networks my issue is any and all attempts i make never seem to work and usually kill my network. In the current "working" state my services are only available locally or through Wireguard, i got two port forwarding rules for 80:80 & 443:443 i tried fiddling around with DMZ and firewall rules to see if my domain is exposed however, have made no progress with them. I keep looping back through Asus documentation to find the correct answer but keep coming up short.

Note: I got one friend who also has an Asus WRT router running Merlin software and we tried tunneling our two routers together using VPN director and weirdly enough his router is unable to resolve my domain but when he takes that exact same config and uses it directly on his devices it has no issues resolving.

Someone who is more experienced than i am please chime in, i would greatly appreciate it!

Some images that i hope help:

 

[ColinTaylor]

Your images are too small to read.

If you are running any VPN clients on the router turn them off while testing.

Check the access logs on your LAN servers to see if the incoming traffic is getting that far.

 

[bennor]

i have a small server running on my network running Proxmox and the Docker Engine with PiHole, Invidious, SearX and couple more services all reverse proxied & ssl production certs via Traefik.

If the server has a firewall, have you checked that firewall to ensure it can accept the WAN/internet side traffic? May have to port forward or properly configure docker clients to accept traffic through the server firewall. Is the server firewall configured to only allow traffic from specific IP address subnets?

 

[Justinh]

Is your modem allowing traffic thru to the router?

 

[sfx2000]

Note that most ISP's filter traffic for TCP/80 and TCP/443 for typical customer accounts.

 

[GuardYaGrill]

If the server has a firewall, have you checked that firewall to ensure it can accept the WAN/internet side traffic? May have to port forward or properly configure docker clients to accept traffic through the server firewall. Is the server firewall configured to only allow traffic from specific IP address subnets?

Honestly not even sure, I guess i have to start digging to see where Debian (the VM that runs my containers) keeps its firewall related settings? The reason i believe its the router is because when i go to watch the system log and on another device via LTE refresh the website i see dropped connections from "src=0.0.0.0".

Feb 15 09:26:44 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:35:1d:a1:9e:7b:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 MARK=0x8000000
Feb 15 09:26:48 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:35:1d:a1:9e:7b:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 MARK=0x8000000

Routing Table may help here?

 

[GuardYaGrill]

Note that most ISP's filter traffic for TCP/80 and TCP/443 for typical customer accounts.

I want to assume this as well however, shouldn't that cause conflict with LetsEncrypt? For me to receive production certificates for my domain/website port 80:80 an 443:443 are forwarded on my router.

 

[ColinTaylor]

Honestly not even sure, I guess i have to start digging to see where Debian (the VM that runs my containers) keeps its firewall related settings? The thing that makes me think it's my router is it dropping connections whenever i refresh the website claiming the source is from 0.0.0.0

Feb 15 09:26:44 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:35:1d:a1:9e:7b:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 MARK=0x8000000
Feb 15 09:26:48 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:35:1d:a1:9e:7b:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 MARK=0x8000000

That is DHCP broadcast traffic on your ISP's local network. Nothing to see there.

As suggested above, your problem is likely related to firewall or some other access restrictions on your local server machine.,

Routing Table may help here?
View attachment 63966

See my post #2 about turning off your VPN client.

I want to assume this as well however, shouldn't that cause conflict with LetsEncrypt? For me to receive production certificates for my domain/website port 80:80 an 443:443 are forwarded on my router.

Most ISPs don't filter TCP 80 or 443. If they did they'd get complaints from their customers that they can't remotely access things like security cameras, home automation systems, VPN servers, etc.

 

[sfx2000]

Most ISPs don't filter TCP 80 or 443. If they did they'd get complaints from their customers that they can't remotely access things like security cameras, home automation systems, VPN servers, etc.

Many ISP's don't support server side things for consumer accounts.. mostly due to security and mitigation for malware bot0nets... Moving ports over from 80/443 over to 8080/8443 is a thing they allow...

And they give zero-f**k's about home security cameras, automation, and esp vpn servers over IPv4...

I'm still surprised that my ISP blocks 80/443, but they still allow 22/TCP - but that's ok...

What's interesting is that I'm dual-stack - so services fairly align across IPv4 and IPv6, which is nice as my IPv4 WAN side is still public...

 

[ColinTaylor]

Many ISP's don't support server side things for consumer accounts.. mostly due to security and mitigation for malware bot0nets... Moving ports over from 80/443 over to 8080/8443 is a thing they allow...

Maybe in your part of the world they block 80/443 but I've never come across it myself or heard of anybody else that has. Although I'd imagine that might be the case for the cellular/satellite/WISP type of services. Anyway, the OP has confirmed that is not the problem here.

 

[sfx2000]

Maybe in your part of the world they block 80/443 but I've never come across it myself or heard of anybody else that has. Although I'd imagine that might be the case for the cellular/satellite/WISP type of services.

Common practice in the US for consumer accounts - mostly for security...

Business Accounts are different, and there, ports are typically not filters, and most can provide static IPv4 and stable IPv6 usually with at least a /48 prefix delegation.

Mobile - typically filtered for all ports, unless one pays for a business account (typical use case is failover/fallback as a backup to cable/xdsl/fiber primary).

 

[dave14305]

Maybe in your part of the world they block 80/443 but I've never come across it myself or heard of anybody else that has.

80 and 443 are reachable via my Xfinity Home Internet service when opened on the router. They have a good portion of the US consumer internet market.