nginx: SSL only works through LAN but not through WIFI

I am new here

I have a reverse proxy on my network that I can access from inside and outside without problems, but when I'm SSL enabled I can not access my website through WIFI in the network, only through LAN, through WIFI 5GHz or outside my network.

On the router I enabled fowarding of ports with 80 and 443.

There are no established iptables rules

Maybe the ISP router fails?

Here is my nginx conf

server {
server_name my.domain.com;
Location / {
Authorization of proxy_pass_header;
proxy_pass http://my.domain.com/;
proxy_set_header Host $ host;
proxy_set_header X-Real-IP $ remote_addr;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
proxy_http_version 1.1;
Connection proxy_set_header "";
proxy_buffering out;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}

listen to 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot
includes /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($ host = my.domain.com) {
returns 301 https: // $ host $ request_uri;
} # handled by Certbot

server_name my.domain.com;
listen 80;
refund 404; # managed by Certbot
}

and a loop output from 2.4GHz WIFI within the network.

curl -v https://my.domain.com
* Testing my_public_ip: 443 ...
* TCP_NODELAY established
* Connected to my.domain.com (my_public_ip) port 443 (# 0)
* ALPN, offering h2
* ALPN, offering http / 1.1
* Successfully establish certificate verification locations:
* CAfile: ..  curl-7.65.2-win64-mingw  bin  curl-ca-bundle.crt
Capath: none
* TLSv1.3 (OUT), TLS link protocol, hello client (1):
* TLSv1.3 (IN), TLS link protocol, hello server (2):
* TLSv1.2 (IN), TLS link protocol, certificate (11):
* TLSv1.2 (IN), TLS link protocol, server key exchange (12):
* TLSv1.2 (IN), TLS link protocol, finished server (14):
* TLSv1.2 (OUT), TLS link protocol, client key exchange (16):
* TLSv1.2 (OUT), TLS change encryption, encryption specification change (1):
* TLSv1.2 (OUT), TLS link protocol, completed (20):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection with my.domain.com:443
* Connection closure 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection with my.domain.com:443

The same network of the same PC but with LAN or 5GHz wifi.

curl -v https://my.domain.com
* Testing my_public_ip: 443 ...
* TCP_NODELAY established
* Connected to my.domain.com (my_public_ip) port 443 (# 0)
* ALPN, offering h2
* ALPN, offering http / 1.1
* Successfully establish certificate verification locations:
* CAfile: ..  curl-7.65.2-win64-mingw  bin  curl-ca-bundle.crt
Capath: none
* TLSv1.3 (OUT), TLS link protocol, hello client (1):
* TLSv1.3 (IN), TLS link protocol, hello server (2):
* TLSv1.2 (IN), TLS link protocol, certificate (11):
* TLSv1.2 (IN), TLS link protocol, server key exchange (12):
* TLSv1.2 (IN), TLS link protocol, finished server (14):
* TLSv1.2 (OUT), TLS link protocol, client key exchange (16):
* TLSv1.2 (OUT), TLS change encryption, encryption specification change (1):
* TLSv1.2 (OUT), TLS link protocol, completed (20):
* TLSv1.2 (IN), TLS link protocol, completed (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http / 1.1
* Server certificate:
* subject: CN = my.domain.com
* start date: July 16 20:39:18 2019 GMT
* expiration date: October 14 at 20:39:18 2019 GMT
* subjectAltName: host "my.domain.com" matches the certificate of "my.domain.com"
* sender: C = US; O = Let's encrypt; CN = Let's encrypt the X3 authority
* SSL certificate verify well.
> GET / HTTP / 1.1
> Host: my.domain.com
> User-Agent: curl / 7.65.2
> Accept: * / *
>
* Mark package as not compatible with multipurpose
<HTTP / 1.1 302 found
<Server: nginx / 1.16.0
<Date: Wed, July 17, 2019 16:31:42 GMT
<Content type: text / html; set of characters = utf-8
<Content-Length: 110
<Connection: keep alive
<Cache control: non-cache
<Location: http://my.domain.com/users/sign_in
<X-Content-Type-Options: nosniff
<X-Frame-Options: DENY
<X-Request-Id: u6ys8dfF7t
<X-Runtime: 0.035204
<X-Ua-Compatible: IE = edge
<X-Xss-Protection: 1; mode = block
<Strict transport security: maximum age = 31536000
<Reference policy: strict-origin-when-cross-origin
<
You are being redirected.* Connection # 0 to host my.domain.com remains intact

I have no idea what I'm doing wrong.

Ruby on Rails: port 3000 can not be accessed on the LAN

I'm on Ubuntu 16.0
Running Ruby on Rails with the webric server as:
enter the description of the image here

I have opened the ports as:
enter the description of the image here

to open the port I used the ufw command as:
sudo ufw allows 3000 / tcp
My Lan Ip is like
enter the description of the image here

But if I access port 3000 from another system on the same LAN:
shows that the site can not be reached
I access my website as:
192.168.2.100:3000
But I can access the apache that runs on port 80.
So, can I access the application that runs on port 3000? If yes, suggest what should be done, thanks in advance

Docker and NAT to LAN on the same machine using iptables

I have been using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices in my network for a while:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -j DNAT - to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp --dport 22 -j ACCEPT

In the past, it has worked very well. However, it broke when I installed Docker. This is almost certainly because Docker rewrote all the rules of my iptables. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING string (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot choose in the destination of origin
6 1384 DNAT tcp - eno1 anywhere anywhere tcp dpt: telnet a: 10.0.1.2: 22
133 8676 DOCKER all: anyone, anywhere, anywhere, ADDRTYPE, that matches dst-type LOCAL

ENTRY of the chain (policy ACCEPT 122 packets, 8474 bytes)
pkts bytes target prot choose in the destination of origin

DEPART chain (policy ACCEPTS 42 packets, 3008 bytes)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER all - any any any! 127.0.0.0/8 ADDRTYPE matches dst-type LOCAL

POSTROUTING chain (ACCEPT policy 21 packages, 2395 bytes)
pkts bytes target prot choose in the destination of origin
0 0 MASQUERADE all - any! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE all - any! Br-643d6580203c 172.18.0.0/16 anywhere
39 2900 MASQUERADE all - any eno1 anywhere
0 0 MASQUERADE tcp - anyone 172.18.0.2 172.18.0.2 tcp dpt: 8443

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 RETURN to all - docker0 anywhere and everywhere
0 0 BACK to all - br-643d6580203c anywhere and everywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere anywhere tcp dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT of the chain (ACCEPT policy 600 packets, 44910 bytes)
pkts bytes target prot choose in the destination of origin

FORWARD chain (DROP policy 135 packages, 27966 bytes)
pkts bytes target prot choose in the destination of origin
176 32752 DOCKER-USER all - anywhere and everywhere
176 32752 DOCKER-ISOLATION-STAGE-1 all - anywhere and everywhere
0 0 ACCEPT everything: any docker0 anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any docker0 anywhere
0 0 ACCEPT everything: docker0! Docker0 anywhere
0 0 ACCEPT everything - docker0 docker0 anywhere
0 0 ACCEPT everything: any br-643d6580203c anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere in any place
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere, anywhere
0 0 ACCEPT everything - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT all - any anywhere ctstate RELATED, ESTABLISHED
6 1384 ACCEPT tcp - anyone anywhere dione tcp dpt: ssh

Chain output (ACCEPT policy packets 505, 66607 bytes)
pkts bytes target prot choose in the destination of origin

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER-ISOLATION-STAGE-2 all - docker0! Docker0 anywhere, anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere and anywhere
176 32752 RETURN everything - anyone, anywhere, anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot choose in the destination of origin
0 0 DROP all - any docker0 anywhere in any place
0 0 DROP all - any br-643d6580203c anywhere
0 0 RETURN to all - anyone anywhere, anywhere

DOCKER-USER chain (1 references)
pkts bytes target prot choose in the destination of origin
176 32752 RETURN everything - anyone, anywhere, anywhere

For example, static routes work. I can still access my workstation in 10.0.1.2 through port 22, but that same machine can not exit. Looking at the traffic that leaves the server, it seems that a ping is not even doing it, much less back.

I tried to simply add my rules back to the top of the running Docker instance, but that did not work. The documentation for Docker suggests putting things in the DOCKER-USER chain, although that does not exist in the nat table. The docker documentation also suggests that I can disable Docker's table manipulation, although I do not know how to manually route the network to the containers.

Honestly, I do not know enough about Docker's rules. Has anyone done this work?

Is it safer to isolate the LAN server?

At this time, my LAN configuration is like this

Current configuration

enter the description of the image here

Is it safer as in the second IMG? With different IP subnetworks of course!

virtual machines: 4 PCs on the LAN (with Internet access) + 1 VM PC on the same LAN and Internet access

Today I faced a problem with the configuration of a "workplace" of work with 4 PCs and a virtual machine placed in the PC.

I managed to pass through the PCs connected through the switch in the same LAN and after some adjustments I also managed to provide an Internet connection – one of the 4 PCs has a connected modem (via USB) – it reads it as an ethernet connection – and I had to provide that internet to the rest of the computers. After these steps, everything worked fine: all PCs could ping themselves and PCs without a mobile modem also had a real connection to the Internet.

The problem arose when I was supposed to connect a "similar to another" PC using Hyper-V with Windows Server 2016 virtual in it. I could not make it work. I mean, I could connect over the Internet from the host to the VM Windows Server, but their IP addresses had to be configured automatically, because when I tried to configure it manually (to get the VM working on the same LAN network where all 4 PCs were already working – he simply lost a real connection to the network and the rest of the PCs (in addition to the host PC) could not ping the VM, since he was not on the same LAN.

I have two ways to make a virtual network in Hyper-V: one is to convert the mobile modem connected to one of the PCs (the host) into a virtual one or try to establish a virtual Ethernet connection, as the rest of the 3 PCs are connected ( through the switch), but I could not make it work in both cases.

scheme

I have made a simplified representation of how it looks. PC4 has a mobile network with internet connection. The 4 PCs are connected through a switch and are in the same LAN (ethernet1) and, in addition, connect the internet from the PC4 (thanks to the mobile modem, called Ethernet2). Now I launched VM in Hyper-V on PC4: you need to take the Internet by yourself and still be on the same LAN as the rest of the PC (you should act as PC5, for example). Now in Hyper-V I have two options: make a virtual switch with Ethernet1 (LAN) or Ethernet2 (Modem), but I can not make any of these work. So, maybe someone could at least give an idea of ​​how IPs and gateways should be configured, or what exact configuration should be done in Hyper-V. I'm sorry to be such a newbie, but it's really my first attempt at something like that, I've never done it before.

networks: Does the computer know that it is visiting itself if I visit the assigned LAN IP?

Suppose that the ip of the Google http server is 111,111,111,111, and my computer has this ip assigned within a LAN.


I know if you visit me. localhost, the computer knows that it is visiting itself, and probably will not ask the router / gateway, I think?

But what will happen if I visit the LAN IP assigned by the network administrator, compared to the visit? localhost?

Will the router / gateway be asked about who, for example? 111,111,111,111 is? And could the router cheat / tell you that 111,111,111,111 Are you out of the LAN and tell him to go look for it? More precisely, you can NAT LAN router 111,111,111,111 to the public the 111,111,111,111?


I'm asking this because I think my ISP gives me a public IP as a LAN IP (less likely that I really connect to that public IP), so I want to know the details about what I described earlier and if what I ask is feasible.

Thanks in advance.

Sharing the Internet from Android to PC through LAN

Is it possible to share my mobile connection to the PC through the LAN cable?

Any help would be appreciated.

networks: can not communicate on LAN when WIFI does not have internet

This refers to a smartphone with data.

My phone is connected to my WIFI that currently has no internet. It is also connected to the cellular network and is using it for data. When I configure it, it tells me that I am connected to wlan with 192.168.1.4 and rmnet to 10.124.121.12. I am trying to ping a device in 192.168.1.55 for purposes.

If I turn off my cellular network I can ping well. With my cellular network in its unreachable.

How do I get my Android to allow me to ping 192.168.1.55 while I'm on the cellular network? I've only noticed this since the Internet went out on my WIFI, so it's a strange and new problem.

networks – LAN routers to WAN traffic

In a network with 2 routers connected like this:

Router_1 => Main router
Router_2 => LAN to WAN (Router_1> Router_2)

What is the correlation between network traffic on both routers?

As in this configuration, everything behind Router_2 is treated as an external network, can Router_2 see the traffic inside Router_1?

If I understand it correctly, Router_1 can see both Router_2 and its own packages, while Router_2 can only see its own.

Windows 7: How can I prevent my computer from accidentally waking up while I keep LAN activation functions activated?

My wireless network card can reactivate my computer with only a magic packet. This was done in the device manager, with the purpose of using TeamViewer remotely.
However, the problem I have is that after putting the computer in sleep mode, it will reactivate again approx. 5 minutes later. I did not send a signal to do it through Teamviewer or any other software.

At the command prompt, powercfg -lastwake It reveals that it is the network card that is causing the awakening.
Is there a way to find the reason why my network card is receiving an activation signal, even if I never sent one? Thank you.