RT2600ac How do I open port 443?

[phil]

I have been futzing around with this for weeks. I'm hoping someone can help.
I am running a VM on my Synology NAS with it's own IP (192.168.0.89). I have configured a port forwarding (443 to 443) rule in my RT2600ac, and let it automatically create the firewall rules. I have my domain name pointed to my home IP and when I hit the domain name, I get the SRM VPN Plus log in page.

Here's what I've tried:
1) Remove VPN Plus: now I just get page not found
2) Forward port 80 as well: no result
3) Move IP to DMZ: port 80 opens (open port checker) but no access

I am beyond frustrated. Seriously thinking I might buy a different router because Synology makes it so hard. Every time I make a change, I check the port status with open port checker and it always stays closed.

Is it just impossible to forward port 443 on RT2600ac?

 

[Rusty]

Is it just impossible to forward port 443 on RT2600ac?

Welcome to the forum, Phil!

Port forward works really well on SRM, so my question is what are you pointing your outside 443 towards the inside of your LAN? What specific device? Is it the NAS, the VM, or something else?

Guessing the end goal here is to point outside traffic toward your content in LAN. Will this be a reverse proxy or some sort of another web server that you have in your VM?

Can you explain in a bit more detail what you are actually trying to achieve here?

 

[phil]

Hi Rusty! Thanks for reaching out!

I have a RT2600ac and a DS918. I am trying to set up a NextCloud/SuiteCRM server in a VM on the NAS. The VM is *mostly* configured (fighting with NGINX and SuiteCRM right now...). I have a Docker container for NextCloud on the NAS already up and functioning.

I'm on a residential Comcast circuit. I have DDNS with GoDaddy configured, and the A name record set on my DNS for both pncholdingsllc.net and *.pncholdingsllc.net. I have a LetsEncrypt SSL wildcard cert already in place. So that's the WAN side.

In the SRM, I have a port forwarding rule for inbound 443 to the IP of the server (the VM, not the NAS). Both the NAS and the VM are on a separate VLAN from my household stuff. It goes through a managed switch that has all the appropriate VLAN tagging, etc. The NAS has both interfaces configured - 1 for each of my VLANs - but the firewall is currently off. The VM has all 80 and 443 inbound traffic allowed.

I had reverse proxy set up on the NAS for the docker container, but it never worked unless I turned off the firewall (SRM and NAS). NGINX on the VM is listening to port 80 and I can get to port 80 on the LAN, but not via the WAN.

I'm stumped. Every time I think I have it...something breaks on its own.

EDIT: I've got to step out this afternoon, so may be later today before I can get back to any more questions.

 

[Rusty]

Ok so 443 port forward is going to the vm nginx as well, on top of 80?

Considering that you are not using the nas reverse proxy (nginx) with port forward and if 80/433 port forward is targeting the VM machine, then any problems might be related on the firewall level.

SRM should put all port forward traffic into firewall rules as well, so my guess would be a firewall nas/vm problem.

Also what kind of OS is that VM?

What kind of error are you getting when trying to access the site from the outside?

 

[phil]

Rusty - I appreciate you.

To answer your questions, the VM is Ubuntu 22.04, and I don't usually get an error. I get presented with a VPN Plus login screen.

Before I go any further wasting your time, I'm going to 1) reset my router to factory config and rebuild it, and 2) blow up the VM and start over.

My router has been acting weird of late, randomly rebooting, etc. Sometimes I'll set a firewall rule and it works, sometimes it doesn't. Same rule, just different outcomes. Devices don't connect, weird stuff. And EVERYONE on the interwebs seems to indicate port forwarding is dead simple and works reliably, but it NEVER has for me, so I'm thinking something is either wrong with my router, or I've changed some setting somewhere in it that I'll never find.

If I go through all that, and still wind up with this problem, I'll reach out. Regardless, I'll update this thread with the outcome.