Changed from ASUS RT-AC68U (Merlin) to Netgear X4S (Voxel) and having Port Forward Issue With Caddy

I’ve attempted to get assistance on the Netgear side without luck so far, so I figured I’d try here. Perhaps someone here is familiar with how they get their Netgear Router to work. I had a ton of help getting my setup working here, including the clever port forwarding used in a similar UNRAID setup. Upon putting my ASUS router back in place, everything works fine again.

I got the Netgear X4S R7800 , and immediately loaded the latest Voxel firmware. I am fairly sure I mirrored all the settings exactly, including my port forward rules. The only other thing I really do is start my DHCP pool at 101 to reserve everything below for my static IPs.

I am running a Synology DiskStation DS916+ with Docker and the Abiosoft Caddy server image. I am only using it as a reverse proxy. I like how simple it is and benchmarks show it as less resource intensive as well as higher performance that nginx.

I had a issue with port 80 and 443 with my initial ASUS setup, I forget the specifics, but i believe it is was because the Synology redirects 80 to 5000 for its web console. Also perhaps the router itself uses that port for the web console. The solution was to basically do this with 80 and 443:

Router -> forwarded -> Synology -> port mapped -> abiosoft/caddy docker container
80                     8080                       8080:80
443                    8443                       8443:443
(external)             (internal)

(Sorry, I am not sure how to show this in a readable table or something. Let me know how and I will edit it.)

The NAS has a static IP.

Hope this makes since, but it is probably less important.

Looking through the netgear settings, I saw some potential settings such its web console and READYshare using these ports. In my troubleshooting, I attempted to change the ports and/or disable. I don’t plan to use most features like readyshare. Note the readyshare advanced page to see where I saw the ports noted there. I am pretty sure i disabled all those, including media share.

Any ideas or troubleshooting I should make sure I did? Maybe I should remove the clever forwarding and see what happens? Maybe I should try other ports besides 8080 and 8443?

Hi @Prodeje, I put some backticks ( ``` ) around your port mapping plan to format it a bit neater.

I’ve seen this quirk before, not only in Synology but unRAID units too, where the web console binds port 80. I’ve also personally run an identical “port-detoured NAT” setup to get Caddy the ports it needs externally.

Where’s the failure point, exactly? (What were you trying to do, what result did you expect, and what happened instead?)

I appreciate the response. With the Asus router in place, I am able to externally reach my Sonarr radarr pages, using my duckdns address.
Once Netgear in place, it doesn’t connect and times out. Ill double check the error msg. At one point an error like “web page doesnt exist 80” or something too came up.

How should I try to trace it further?

Could you curl -i [host] and let me know what you get?

That’ll at least tell us if you’re being turned away by the Netgear itself or by Caddy.

Possibly also double check your DNS - that the duckdns address returns the right IP, that your computer hasn’t cached an old IP, etc…

Family won’t appreciate me taking down the network now. I will take a stab tomorrow. For now I put the Asus back in place. It sits in the basement, WiFi off doing all the routing. I then put the Netgear in AP mode, connected to my family room wall jack (first floor of house wired with cat 5e) doing the house WiFi. Good news is that this fixed my weak WiFi in master bed room where my fire TV was struggling at times.

Hey Prodeje,

Sorry for hijacking this thread, but as a new user, I can’t message you directly (if that option exists). I’m trying to setup caddy on my new DS218+ to run sabnzbd, sonarr, radarr, lazylibrarian, ect… I saw your other thread and saw that you were able to get caddy up and running and was hoping you could upload your caddyfile and anything else you used for your setup.

I read through your other thread but I got lost midway. I’ve been at this for about a week straight and I don’t get it.


I am a writer with DR Frankenstein guides and I have a staging area that includes unfinished guides. I started one here, let me know how it goes and any issues.

1 Like

Ah, so the nasguides writer is you. Amazing.

I followed that guide but it gets confusing at this point. Things don’t match up. And I’m not sure where to put the common.conf file in this whole setup.

Also, in the common.conf file it states “Change all path “syntax” & “locations” to match your OS! e.g. “c:\caddy\www” for Windows or “/var/www” for nix file systems”. I ssh’d into my DS218+ but I don’t see /var/www/ so not sure how to change that either.

Ok since we are doing reverse proxy only, do not get those additional files for full php. Just use my caddyfile.

Are you able to continue now?

Just put in your details as noted;
Customize the caddyfile by replacing these terms as noted in each file:

YOUR_USERID YOUR_PASSWORD (with whatever you want to use when logging into your site remotely)
YOUR_NAS_LOCALIP (with your server’s local IP address, such as

On a side note, I could not get my new Netgear router to port forward nicely, so I had to go back to my ASUS instead.

Unfotunately the container stops immediately after it starts. This is the log from the docker container.

Used: 12.34.567.890
Resolved to:
Validation for
Error Detail: 2018/01/30 04:24:01 [] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from "
2018/01/30 04:23:59 [INFO][] acme: Trying to solve HTTP-01
2018/01/30 04:23:59 [INFO][] AuthURL:
Activating privacy features…2018/01/30 04:23:59 [INFO][] acme: Obtaining bundled SAN certificate

Also, (and though it’s out of my league at the moment), I would eventually like to have a landing page where my wife can log in and use sonarr or radarr or lazylibrarian. It’s all a learning experience for me atm.

Edit: of course my ddsnx and external IP has been altered.

Here’s the culprit:

Error Detail: 2018/01/30 04:24:01 [] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from "

Looks like Caddy has been configured to pull a certificate for your domain, but when LetsEncrypt connected over HTTP, it got the wrong response.

Most common reason: Something other than Caddy is listening on port 80 at the IP address your domain was pointing to. Quick way to find out: curl -I and look for a Server: header.

I’m about to head to bed so I’ll check in the morning, but a quick question. Could the fact that I already have a let’s encrypt certificate for WebDAV, be the culprit? Mind you, my WebDAV connects at ports 5005 and 5006.

The presence or absence of an existing certificate on a separate service is mostly irrelevant to Caddy.

Without respect to implementation, the only requirement for HTTP-01 validation is that a connection to your IP address on port 80 must be answered by the Caddy instance that requested the certificate.

The implementation is the part that gets people. Usually there’s only one problem to worry about for people serving from home:

  • Problem 1: Caddy isn’t available at your public IP address.
    Solution: Forward ports 80,443 on your modem to your Caddy host.

Synology (and unRAID, and probably others) systems have additional concerns to add in when used as Caddy hosts.

  • Problem 2: Ports 80,443 are not available on the Caddy host.
    Solution: Forward to different ports (e.g. 8080,8443).

  • Problem 3: HTTP(S) requests are now coming in on non-standard ports.
    Solution: Translate those ports back to standard ports (with Docker port mapping), OR change the standard ports Caddy uses for HTTP(S).

Generally speaking, unless there are other concerns (double NAT, WAN-facing modem GUI, other network complexities), your problem is likely to be somewhere along that chain.

My strong suggestion is that you configure Caddy to validate against the ACME staging endpoint while testing your setup, until you’re sure it’s configured correctly. Otherwise you may run into rate limits and have to wait a week to get a valid certificate.

Use the -ca CLI flag to do that, or the following tls directive:

tls {

Staging Environment - Let's Encrypt

1 Like

ok, so when I use

tls {

I don’t get any errors except that in the log, it’s asking me to use my email address.
When i try the email address (as is normal) i get that same error I reported earlier.

When I try to

curl -I

I get timed out.

But when I try

curl -I
I get this

curl -i
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 30 Jan 2018 14:09:11 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Keep-Alive: timeout=20

302 Found

302 Found


I don’t know why nginx is running though, because I haven’t used it. Could it be that I installed webstation at one point and then uninstalled it?

Yep, changing to the staging endpoint won’t solve the problem, per se, but it will stop the problem from getting you in trouble for abusing their production endpoint while we fix the problem.

That’s not ideal. You want this to have the exact same result as curl -I Check that your DDNS is updating properly.

I believe nginx runs on all Synology devices - it’s what serves the configuration/web GUI. This is the problem the OP solved originally, but their solution ran into issues with a new router:

So, you’re effectively at Problem 2 - you can’t use port 80 for Caddy because Synology has it and won’t give it up. See above solution.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.