Tag Archive for: pfSense

Securing Odoo for External Access with HTTPS using Nginx Proxy Manager

Extend your local Odoo install with a reverse-proxy and Let’s Encrypt so users outside your office can connect via https://odoo.yourdomain.com:8443—no VPN needed.

1. DNS setup for your subdomain

Create an A record in your DNS provider:

  • Type: A
  • Name: odoo
  • Value: 2.179.165.134 (your public IP)
  • TTL: 2 hours (or default)

This ensures odoo.yourdomain.com resolves to your WAN address.

2. Update docker-compose.yml with Nginx Proxy Manager

version: '3.8'
services:
  odoo:
    image: odoo:18
    container_name: odoo
    depends_on: [db]
    ports:
      - "0.0.0.0:8069:8069"
    environment:
      - HOST=db
      - USER=odoo
      - PASSWORD=odoo
    volumes:
      - odoo-data:/var/lib/odoo
    networks: [odoo-net]

  db:
    image: postgres:16
    container_name: db
    environment:
      POSTGRES_DB: odoo
      POSTGRES_USER: odoo
      POSTGRES_PASSWORD: odoo
    volumes:
      - odoo-db-data:/var/lib/postgresql/data
    networks: [odoo-net]

  npm:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    ports:
      - "80:80"      # HTTP for ACME challenges
      - "81:81"      # Admin UI
      - "8443:443"   # External HTTPS → internal 443
    volumes:
      - npm-data:/data
      - npm-letsencrypt:/etc/letsencrypt
    networks: [odoo-net]

networks:
  odoo-net:

volumes:
  odoo-data:
  odoo-db-data:
  npm-data:
  npm-letsencrypt:

3. Configure pfSense NAT & Firewall

3.1. Firewall / NAT / Port Forward

  • WAN port 81 → 192.168.121.145:8069:81
  • WAN port 8443 → 192.168.121.145:8069:8443

3.2. Firewall / Rules / WAN

  • Allow TCP 81 → WAN address
  • Allow TCP 8443 → WAN address.

(these rules are created automatic with the Port Forward)

3.3. System / Advanced / Firewall & NAT / Network Address Translation

  • Pure NAT
  • Enable NAT Reflection for 1:1 NAT
  • Enable automatic outbound NAT for Reflection

Note: NAT Relflection (Harpin NAT) allows connection with subdomian from the office. This will “loop” LAN requests back to the internal server correctly.

4. Set up your Proxy Host in Nginx Proxy Manager

  • Domain Names: odoo.yourdomain.com
  • Scheme: http
  • Forward Hostname/IP: 192.168.121.145
  • Forward Port: 8069
  • Websockets Support: ✅
  • Block Common Exploits: ✅

SSL (Let’s Encrypt)

  • Request a new SSL certificate
  • Force SSL, HTTP/2, HSTS
  • Enter your email, accept terms, Save

5. Access Odoo externally

➡️ URL:

https://odoo.yourdomain.com:8443
  • Fully encrypted with Let’s Encrypt
  • Uses port 8443 to avoid conflict with VPN on 443
  • No VPN required

Connecting to a ModBerry 500 via SSH with Dual Ethernet outside the local network

Context

Industrial devices like the ModBerry 500 often come with multiple Ethernet interfaces — typically with eth0 set to a static IP (e.g., 192.168.0.101) and eth1 (e.g., 192.168.20.118) configured via DHCP on your local network.


In some cases, you’ll want to ensure that a specific interface — for example, eth1 — is used as the primary route for Internet access. This is especially important if you plan to remotely connect to the device via SSH, using a custom external port (like 2223) forwarded through your router.

The Problem

Even if you configure the IP and gateway on eth1, Linux may still use eth0 as the default route, because it automatically assigns routing priorities (metrics). In our case, eth1 ended up with metric 203 and eth0 with 202 — making eth0 the preferred route. That’s the opposite of what we wanted.

The Solution: Prioritize eth1 via /etc/dhcpcd.conf

If your system is using dhcpcd as its network manager (which is common on ModBerry), you can set the interface priority easily.

1. Open the config file:

sudo nano /etc/dhcpcd.conf

2. Add this at the end:

interface eth1
  metric 100

interface eth0
  metric 200

This tells the system: “Use eth1 first, because it has a lower metric.”

3. Restart the service:

sudo systemctl restart dhcpcd

4. Check the active routes:

ip route show

You should see something like:

default via 192.168.120.1 dev eth1 metric 100
default via 192.168.0.99 dev eth0 metric 200

Open SSH Access on Port 2223 via Router NAT (e.g., pfSense)

In this setup, we’re accessing the ModBerry remotely by forwarding a custom external port (like 2223) on the router’s public IP to port 22 on the ModBerry’s eth1 IP address.

1. Set up a NAT Port Forwarding rule on your router (e.g., pfSense)

  • External port: 2223
  • Internal IP: your ModBerry’s eth1 IP (e.g., 192.168.120.118)
  • Internal port: 22 (default SSH port)
  • Protocol: TCP

This tells your router: “When someone connects to port 2223 on the public IP, forward that to port 22 on the ModBerry’s eth1 interface.”

2. From outside your network, connect using:

ssh -p 2223 user@YOUR_PUBLIC_ROUTER_IP

Replace user with your actual ModBerry username (e.g., root or pi), and YOUR_PUBLIC_ROUTER_IP with the WAN IP of your pfSense router.