Unable to Connect with HTTPS Server behind Merlin Router

[Stach]

I am trying to connect to a web server that is running on my LAN, from the internet. I am running the latest Merlin FW and have forwarded ports 80,443 TCP to my local web server IP. While I can connect to the web server just fine from another PC on the LAN, I get SSL sockets errors when trying from the internet. I also temporarily configured the server to use just standard HTTP (port 80) and confirmed that it worked just as expected from the internet, so the problem appears to be related only to port 443.

I've searched these forums for any tips / solutions, but can't find any helpful posts. Here's how I am currently configured:

• Administrative Local Access is HTTP on port 80
• Enable Web Access from WAN is turned Off
• DMZ is Disabled
• AICloud is turned Off and I even changed the port to 444, even though it is turned Off
• My internet provider does not block either port

Thanks in advance for any help that you can provide, so that I can access my HTTPS server from the internet.
Stach

 

[dave14305]

Does the server running the web server have a firewall that would restrict incoming source IP to the local LAN IP range?

 

[ColinTaylor]

While I can connect to the web server just fine from another PC on the LAN, I get SSL sockets errors when trying from the internet. I also temporarily configured the server to use just standard HTTP (port 80) and confirmed that it worked just as expected from the internet, so the problem appears to be related only to port 443.

I can't remember the specifics (so I'm probably wrong) but isn't this expected behaviour? Something to do with the server's certificate being valid for its LAN IP address but not the router's WAN IP address.

 

[Stach]

Does the server running the web server have a firewall that would restrict incoming source IP to the local LAN IP range?

Thanks for the tip, but I'm positive that traffic is making it from the internet to the webserver on port 80, since if I try just a normal http request, it fails when redirecting to https (ssl error only on port 443).

Any other ideas as https works just fine internally?

 

[Stach]

I can't remember the specifics (so I'm probably wrong) but isn't this expected behaviour? Something to do with the server's certificate being valid for its LAN IP address but not the router's WAN IP address.

That sounds like a possible reason, but I would assume that there's a way around this as well?

 

[ColinTaylor]

That sounds like a possible reason, but I would assume that there's a way around this as well?

Never done it myself. I'm guessing you need to create a certificate linked to your public IP address or hostname (https://letsencrypt.org/) and then import it into your web server (Apache?).

EDIT: https://www.snbforums.com/threads/lets-encript-cert-and-web-server.56487/

 

[Stach]

I don't think that it's the certificate, I think that the port 443 port forward is either being blocked or intercepted by some process within Merlin.

 

[john9527]

I'm guessing you need to create a certificate linked to your public IP address or hostname

The router generated cert will include your DDNS name if you are using the built in DDNS setup.

I think that the port 443 port forward is either being blocked or intercepted by some process within Merlin.

Check under the AiCloud settings. The default port there is 443 and is claimed even if you are not using AiCloud.

 

[Stach]

Check under the AiCloud settings. The default port there is 443 and is claimed even if you are not using AiCloud.

Thanks for the reply, but I've already modified the AiCloud port t0 444 and it didn't help (I haven't tried a reboot).

Are there any command line commands that would help show the issue and lead to a potential fix?

Thanks again,
Stach

 

[dave14305]

I’m not a port forwarder myself, but 2 ideas:

netstat -nlp | grep ":443 "

to see what else is occupying port 443 on the router. Watch for anything listening on 0.0.0.0.

iptables -t nat -nvL VSERVER

to observe hit counts on the forward rules in the firewall.

tcpdump would be my next suggestion.

 

[dosborne]

Enable logging on your web server to see if the intended traffic is making it that far and logging an error.

 

[Stach]

I’m not a port forwarder myself, but 2 ideas:

netstat -nlp | grep ":443 "

to see what else is occupying port 443 on the router. Watch for anything listening on 0.0.0.0.

Thanks for the netstat syntax as that ultimately allowed me to figure it out / remember what I had done. 1-2 years ago I setup my OpenVPN server to use port 443, hoping that port would allow it to work from behind other firewalls better. It didn't fix my access to home from behind the school's firewall, but I left it in place. Once I stopped the OpenVPN server my HTTPS requests were forwarded to my web server. I changed the OpenVPN and that's working on the new port just fine as well.

Thanks again for everyone's help!
Stach