Reaching Container from internet - Tcp handshake not working - TCP Retransmission

P

Phuket My Mac

Member
Aug 4, 2019
12
1
8
44
Hi,

I have created a test Web Server on a freshly installed Debian container, unprivileged one.
I have set up my firewall rules on my router to redirect http requests from the internet to my Web Server container which is using Nginx.
I can see the requests coming but the ACK is not sent back somehow (as can be seen below...)

If trying to access the Web Server from the LAN network, it works and I am getting the Nginx default webpage.

I have already restarted the VM, host and disable the "firewall" on the VM on it but it didn't help.
It's definitely a network issue as I've also tried routing the SSH port from the outside to my VM and same thing is happening, so not related to Nginx.

I have another Ubuntu unprivileged container on the same host running a Ubiquiti controller and the requests sent from the internet to port 7443 are working fine.
I can access my NVR from the outside with no issue.

What could I be missing?

root@WebServer:~# tshark -i eth0 'tcp port 80'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'

1 0.000000000 XXX.XXX.XXX.XXX ? 10.0.2.251 TCP 66 5889 ? 80 [SYN] Seq=0 Win=4200 Len=0 MSS=1400 WS=16 SACK_PERM=1
2 0.000045510 10.0.2.251 ? XXX.XXX.XXX.XXX TCP 66 80 ? 5889 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 1.023869390 10.0.2.251 ? XXX.XXX.XXX.XXX TCP 66 [TCP Retransmission] 80 ? 5889 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
4 2.999228795 XXX.XXX.XXX.XXX ? 10.0.2.251 TCP 66 [TCP Retransmission] 5889 ? 80 [SYN] Seq=0 Win=4200 Len=0 MSS=1400 WS=16 SACK_PERM=1
5 2.999263818 10.0.2.251 ? XXX.XXX.XXX.XXX TCP 66 [TCP Retransmission] 80 ? 5889 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
6 5.023860819 10.0.2.251 ? XXX.XXX.XXX.XXX TCP 66 [TCP Retransmission] 80 ? 5889 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
7 5.998972742 XXX.XXX.XXX.XXX ? 10.0.2.251 TCP 66 [TCP Retransmission] 5889 ? 80 [SYN] Seq=0 Win=4200 Len=0 MSS=1400 WS=16 SACK_PERM=1
8 5.999007558 10.0.2.251 ? XXX.XXX.XXX.XXX TCP 66 [TCP Retransmission] 80 ? 5889 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM=1 WS=128
 
Hm, this sounds like a problem with your router not returning the packets to the client. E.g. the NAT is only working in one direction. Are the routes in your container set up correctly as well? Can you access the internet from the CT?

Try running tshark/tcpdump on the host as well (on your bridge interface).

Phuket My Mac said:
I have already restarted the VM, host and disable the "firewall" on the VM on it but it didn't help.
Click to expand...
VM or container? Just to clarify, this could make a difference here...
 
You were absolutely right.

I have just made a test and NATed the WAN port 90 to the VM port 80 and it worked right away.
There is a rule on the FW which is interfering with ports 80 and 22 since the router itself (Mikrotik) has those ports open and listening.

I'll google it and ultimately ask the question on the Mikrotik forum.

Thanks for your help.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom