Firewall/networking issues hosting various services

cameron1024 · June 10, 2025, 6:57pm

I’m trying to host Immich on a home server running NixOS, but having some trouble connecting to it. I haven’t got much experience with networking in general, so this may be a simple question that’s not particularly related to NixOS, so apologies in advance .

Locally, everything works fine. I have services.immich.enable = true in my config, and if I go to localhost:2283 in my browser, it works. But if I use another device on my and go to server:2283 it fails.

Some fixes/troubleshooting steps I’ve tried so far:

on the other device, host server gives the correct IP address (at least, one that matches ifconfig on the server
other services have the same behavior (e.g. open-webui)
I can ping server and ping <ip address of server>
I tried adding services.immich.openFirewall = true, no change
I tried adding networking.firewall.allowedTCPPorts = [2283], no change (somewhat expected, I assume this is what services.immich.openFirewall does)
I looked at journalctl --follow to see what was happening to the requests - when I tried to access the page from the other machine, I got lots of logs like:

Jun 10 19:33:07 server kernel: refused connection: IN=wlp195s0 OUT= MAC=98:bd:80:8e:ec:fc:7e:55:00:ff:e6:d7:08:00 SRC=192.168.0.177 DST=192.168.0.205 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=57399 DPT=2283 WINDOW=65535 RES=0x00 SYN URGP=0

which makes me think that it’s still a firewall issue

so I added networking.firewall.enable = false to fully disable the firewall. After doing this, I no longer see the refused connection logs when I try from the other machine - I just see nothing

At this point, I’m out of debugging steps - any suggestions are much appreciated.

Thanks

c0d3m0nky · June 11, 2025, 1:33am

What kind of network setup do you have?

Are you hosting any other services that do work? On that machine or any other?

Mapybara · June 11, 2025, 1:36am

I guess your local network’s going through a router. Some routers have strange ideas about what traffic they should block. Depending on the model, that might (and should!)
be configurable.

cameron1024 · June 11, 2025, 2:40am

Actually, openssh does work. I’ve also tried static-web-server which fails.

Some routers have strange ideas about what traffic they should block.

This could be happening - I’m using a temporary 5g mobile router, but when I log into the admin interface, there’s an option for “client isolation”, which sounds like the kind of thing it could be - but it’s unchecked.

I’m also wondering whether this would explain the different behavior when I toggle networking.firewall.enable. I would have thought that, if the router was stopping traffic from getting to my server, I wouldn’t see the refused connection messages in journalctl?

robsliwi · June 11, 2025, 5:07am

Have you stumbled across Tailscale and immich on new system: port not responding? - #2 by waffle8946 yet?

Most services are configured by default in such a way requests from localhost are allowed but not from other hosts.

c0d3m0nky · June 11, 2025, 10:15am

Every cell service router I’ve troubleshooted is a nightmare if you’re trying to do anything other than connect to internet. I suggest you see if it’s one you can put in bridge mode and get a regular router to run your LAN instead

cameron1024 · June 11, 2025, 1:51pm

That was exactly it, thanks! I guess that explains why some services were working and others weren’t