Can't connect Nextcloud app to existing Nextcloud user accounts

Re-posting from Telegram on the recommendation from “Mike” for additional visibility.

THE ISSUE: Samsung S22 and S24 phones (with the Nextcloud app) cannot connect to existing Nextcloud user accounts via credentials (QR code) provided by Nextcloud user account UI browser session.

NETWORK AS IT WAS THEN: Formerly, Orbi router (RBR750 w/2 satellites) had flat network on subnet 192.168.1.0/24. All Start9 servers (4) and computers (3) are wired. Phone, tablet and IoT stuff on wifi.

1. All computers (with Firefox browser) connected to all Start9 servers via IP addresses, adj-noun.local addresses and connected to Nextcloud user accounts via UI https://***.local address.

2. S22 and S24 phones (with the Nextcloud app) connected to Nextcloud user accounts via credentials (QR code) provided by Nextcloud user account UI.

THE CHANGE: installed pfSense router, managed switches, created VLANs and relegated the Orbi to Access Point mode.

NETWORK AS IT IS NOW: Currently, pfSense router, Avahi service and mDNS reflection enabled (across all subnets) and managed switches with VLANs. Orbi in AP mode (without VLANs, not supported in AP mode) on untagged switch port. All servers and computers remain wired. Phone, tablet and IoT stuff still on wifi.

1. All computers (with Firefox browser) on VLAN10 (on pfSense port 2) can connect to all Start9 servers on VLAN 20 (on pfSense port 3) via IP addresses, adj-noun.local addresses and can connect to Nextcloud user account via UI https://***.local address.

1a) Computers connect via browser across different router ports and across different VLANs using server IP addresses and *.local addresses. DNS resolving as expected.

2. 1 of the 3 computers (with Firefox browser) moved and connected to wifi (RJ45 removed) on non-VLAN Orbi, can connect to all Start9 servers via IP addresses, adj-noun.local addresses and Nextcloud user account via UI https://***.local address.

2a) Computer on wifi connects via browser across different router ports and non-VLAN/VLAN connection using server IP addresses and *.local addresses. DNS resolving as expected.

3. S22 and S24 phones (with the Nextcloud app) connected to wifi (airplane mode on, no cell tower) on non-VLAN Orbi, CANNOT connect to Nextcloud user accounts via credentials (QR code) provided by Nextcloud user account UI browser session. Receive message “Could not find host” as described in Start9 documents.

3a) Phone/Nextcloud app on wifi cannot connect across different router ports and non-VLAN/VLAN connection using Nextcloud user account credentials. DNS (or mDNS) not resolving for the phone/app?

4. S22 phone (with Firefox browser) connected to wifi (airplane mode on, no cell tower) on non-VLAN Orbi, CAN connect to all Start9 servers IP addresses but CANNOT connect via adj-noun.local addresses nor to Nextcloud user account via UI https://***.local address.

4a) Phone on wifi can connect via browser across different router ports and non-VLAN/VLAN connection to server IP addresses but CANNOT connect to *.local addresses. DNS (or mDNS) not resolving for the phone/browser?

5. Trusted CA deleted from S22 phone and re-installed has no effect.

HELP PLEASE: This about a week worth of troubleshooting and verifying results are consistent and then trying to make this a comprehensive read, and reading and learning at the same time. The following statement is unclear from the documents “…WiFi network is not properly “bridged” with the ethernet network…”. Please explain this so I can also troubleshoot this aspect. What’s it take to fix this issue?

I don’t have anything specific to add other than what’s been discussed in TG, but it is interesting that other devices connected to wifi do work, while the two phones don’t.

It would be interesting to see what happens if you bring another different Android, or even an iOS device, into the equation and test that.

This is a clue. The fact that you can connect to your server via IP, but not .local indicates an MDNS issue.

One additional test

6. 1 of the 3 computers (with Firefox browser) moved and connected to ethernet connection on (rear of) non-VLAN Orbi, can connect to all Start9 servers via IP addresses, adj-noun.local addresses and Nextcloud user account via UI https://***.local address.

6a) Computer on wifi connects via browser across different router ports and non-VLAN/VLAN connection using server IP addresses and *.local addresses. DNS resolving as expected. Same test and result as listed above in 2) and 2a).

I tried the same tests for a new Pixel but phone conditions are not identical but shouldn’t matter. The wifi connection is the same but none of the CAs are trusted yet so I didn’t expect the phone to connect securely to the Start9 servers. The phone did find them at their static IP addresses and Vanadium offered to continue as http only. No joy finding the *.local addresses with Vanadium and with a fresh install of the Nextcloud app, no joy connecting there either. See 7) and 8) below. This matches the results of the S22 and S24. I’d like to try this on an iphone as well but not one under my control.

7. Pixel8 phone (with Vanadium browser) connected to wifi (no SIM card, no cell tower) on non-VLAN Orbi, CAN connect to all Start9 servers IP addresses but CANNOT connect via adj-noun.local addresses nor to Nextcloud user account via UI https://***.local address.

7a) Phone on wifi can connect via browser across different router ports and non-VLAN/VLAN connection to server IP addresses but CANNOT connect to *.local addresses (not found).

8. Pixel8 phone (with the Nextcloud app) connected to wifi (no SIM card, no cell tower) on non-VLAN Orbi, CANNOT connect to Nextcloud user account via credentials (QR code) provided by Nextcloud user account UI browser session. Receive message “Could not find host” as described in Start9 documents.

8a) Phone/Nextcloud app on wifi cannot connect across different router ports and non-VLAN/VLAN connection using Nextcloud user account credentials.

The mDNS has something to do with it. Does Avahi mDNS bring the computers and *.local address for the servers together , or is that the router DNS service? I’d like to be able to credit success or failure to one or the other. Maybe the Nextcloud app isn’t listening correctly to the mDNS information as it is broadcast. Maybe the broadcast isn’t the way Nextcloud is expecting to hear it. I have explicit rules written to allow mDNS across all interfaces in pfSense. Is there a possible conflict between Bonjour and Avahi co-existing on the network, at least as far as the Nextcloud app is concerned?

Avahi is an open source implementation of IETF Zeroconf. Apple and Microsoft have their proprietary implementations. Microsoft’s implementation is lacking most notably, .local aliasing, which is why Windows users need to install Apple’s Bonjour to connect to the services on StartOS. In short, there is no conflict between Bonjour and Avahi. They’re just OS specific implementation of the protocol. In the “coming soon” StartOS 0.3.6, services will be exposed via port. So Avahi, Bonjour, ect will no longer be necessary.

You can rule out it being an issue with the phone(s) by temporarily building a separate simple flat network. All devices on a single sub-net. A single router, with wifi. With a StartOS server connected directly to the router via Ethernet, and the phone or phones connected to the wifi provided by it. If you are able to connect to the server’s .local address from the phone(s) then you’ll know it’s not an mDNS issue with the phone(s).

One of us read the other’s mind to go back to the original network configuration to prove good hardware and apps.

9. Re-created 192.168.1.0/24 flat network, no VLANs; spare Linksys router with wifi, laptop, Start9 server hosting Nextcloud and S22 and S24 phones.

9a) Able to setup and reestablish full user access via phones to existing Nextcloud user accounts hosted on Start9 server. All good hardware and apps.

10. Moved Start9 server hosting the Nextcloud service to ethernet port on Orbi router (AP mode).

10a) Full user access via phones to existing Nextcloud user accounts.

11. Moved Start9 server hosting the Nextcloud service to managed switch, port 5. Configured port 5 with the same network traffic (untagged) as port 6 for the Orbi router (in AP mode).

11a) Full user access via phones to existing Nextcloud user accounts.

12. Moved Start9 server hosting the Nextcloud service back to the original desired managed switch location on VLAN 20.

12a1) Computer results same as 1a). Computers connect via browser across different router ports and across different VLANs using server IP addresses and *.local addresses.

12a2) Phone results same as 3a) and 4a). Phone/Nextcloud app on wifi cannot connect across different router ports and non-VLAN/VLAN connection using Nextcloud user account credentials. Phone on wifi can connect via browser across different router ports and non-VLAN/VLAN connection to server IP addresses but CANNOT connect to *.local addresses.

Just as a reminder, in this desired configuration, all Start9 server (VLAN20) traffic is on port 3 of the pfSense router. All other network traffic (non-VLAN and VLAN, wifi and wired) is on pfSense port 2.

Okay, great! So we’ve ruled out an mDNS resolution issue with the phones. The problem seems to be multicast resolution moving across VLAN boundaries, or through the firewall. Keep in mind, the multicast broadcast address is 224.0.0.251, and all .local services run on 224.0.0.0/24. So maybe in your current configuration, 192.168.0.0 is allowed to cross boundaries, but the 224 is not. Hopefully this is a clue.

For this latest test, I setup a laptop and my S22 on wifi, side-by-side. Opened three tabs on Firefox and Firefox Beta (phone) on each device; the server IP address, the server adj-noun.local address and my Nextcloud user account *.local address. I got the IP address for each device on the router and created pass rules in pfSense to pass traffic specifically from each device IP address to the server on its VLAN. This will allow me to determine if traffic (specific to each device) is passing through the firewall destined for the server.

For the laptop, ctrl/shft/R was used to cause a hard refresh on each browser tab, traffic did pass for each of the three addresses on every tab refresh. States in the state table on pfSense were created and packet quantity and byte count both accumulated. All worked as expected.

For the phone, tapping in the address bar and clicking GO on the keyboard was used to cause a new traffic on each browser tab, traffic did pass but ONLY for the tab with the server IP address. The two tabs with *.local addresses did not affect the state table, packet quantity or byte count. THIS indicated to me these two request sources were never making it to the firewall TO BE passed.

At this point, I didn’t think I can cut this in half anymore to find and be able to put a finger on the exact cause…so I shotgunned it. I read about the Host Overrides feature in pfSense and made one for each Start9 server. I still don’t know if this is a proper application of this feature. Each adj-noun.local was listed as the “Parent domain of host” and the static IP address is listed as “IP to return for host”. I left “Host” blank. For good measure, I also rebooted the pfSense router (Netgate 4200) and the bane of my networking experience, the Orbi in AP mode (Netgear RBR750).

Now the fckng-sh!t works…well, one of them does but its not a total win though, the Nextcloud user account *.local IP address still won’t resolve for the phone nor the Nextcloud app on the phone. Now I can reach each server on the browser tab/phone at the adj-noun.local address. I can also break it again by removing the host override entry for an individual server. Re-adding the host override entry fixes it again. I left the tabs to each of the four servers open in Firefox Beta, closed the app and then force stop for the night. I left it this way over night to test again this morning and all four servers are immediately available…success. This is only an edge-case win for me as the administrator having access to the servers, via the browser, on the phone, at home. The Nextcloud app users are who need the win.

I know the user *.local address only works with a specific port on the server but for me as an end user, that port can’t be determined. I also checked the other user *.local addresses for the other loaded Start9 services and they do not work either, i.e., Vaultwarden, Burn After Reading, Ride The Lightning, Core Lightning, Lightning Terminal, Mempool and Thunderhub. It’s a systemic issue with the granular control in pfSense (DNS/mDNS) vs. the wild-wild-west of a flat network.

The Nextcloud app on the phone can’t find the server while on the home network with a pfSense router. The computers work as expected when connected to the server via browser. The Nextcloud use-case for the phone remains broken. Going back to the insecure, flat network infrastructure isn’t going work for us.

STOP THE PRESS!!!

I knew I didn’t have the port number for the Nextcloud user *.local address so I didn’t think creating a host override for it would work. I thought I would need the IP address AND the specific port to point to the server. I decided to try it anyway…but it didn’t work. So I walked away for an hour. I came back and checked the browser tab for the user account again and IT OPENED! The ultimate test is with the app. I tried the Nextcloud app and it also connected to the server as expected. I guess I didn’t wait long enough for the host override info to propagate through all of the router before trying to connect.

I would still like to know why the phone needs special help (host override) finding the server while DNS and mDNS are on full blast. The computers/browsers find it right away. I would also like to know if the use-case for the host overrides are a proper use of this feature. Setting up pfSense is quite the learning experience so far.