OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: neek on February 27, 2022, 03:47:32 am
-
I've got a box setup as a web server for both internal and external services. nginx uses the HTTP host to route to the correct apps. The internal services work fine, and the externally-visible services work but only if I'm not on my LAN (meaning only if I come in from a public IP).
If I'm on the LAN, and I try to access a service from the external host (e.g. myapp.mydomain.com), it looks like it redirects to the webserver which runs on the opnsense box, rather than port forwarding to the correct machine.
My WAN rejects rfc1918 addresses, but I'd think if I'm trying to access something at my proper domain name, the source would be the WAN address.
I'm guessing the problem is actually something in unbound, but I don't really know what to look for. I had this all working well on the exact same hardware a few days ago when I was running pfSense, and I've tried to mimic the firewall rules, etc. as best as I can.
Any suggestions are very welcome!
EDIT: Solved by Firewall -> Settings -> Advanced, enable the 3 NAT settings
-
What does your NAT rule say about NAT reflection?
-
You basically have two options: Overwrite your DNS enty for your DMZ located server or activate NAT reflection in the firewall settings.
-
Thanks, yes, I'm sure it's that I don't have port reflection. I've turned it on but I'm not seeing anything different, and the behavior is the same that I can't access those external services from within my network (on a VLAN running atop LAN, if that matters).
Do I need to recreate all of my rules? I tried with HTTPS and I still don't see where a rule is created to remap the external -> internal address.
thanks!
-
https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/ (https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/)
The part in the above link about split DNS might be useful to you.
It seems he is did something similar to what you are doing.
Cheers,
-
I had the same issues with hairpin nat when i first set up opnsense. I'll dig out what i changed as it now works ok
-
Thank you to @Koldnitz. I added DNS overrides to make this work, at least for now. I'd still prefer to solve this via the firewall rules so I don't need to explicitly add each host to Unbound (a wildcard won't work for what I need since I direct some entries to external services in the cloud). But for now, I'm at least able to get this working.
https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/ (https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/)
The part in the above link about split DNS might be useful to you.
It seems he is did something similar to what you are doing.
Cheers,
-
yeah i tried to use dns but kept getting issues with it getting confused and not working for a while etc.
just make sure you have all three NAT settings ticked in Firewall: Settings: Advanced
and create a nat port forwarding rule for what you want make sure nat reflection is ticked in the rule. and auto create a filter rule too.
if you've done it right you'll see the rule in the Firewall: Rules: Floating bit.
make sure its top of the rules.
thats what i've got and it now worked. hopefully it does for you
-
Thank you! Yes for some reason I only had the Firewall Advanced setting for "Reflection for port forwards" set, the other two were not. Turning those on and reloading the firewall seems to have done the trick, even after I deleted the overrides in Unbound. Thanks very much!
yeah i tried to use dns but kept getting issues with it getting confused and not working for a while etc.
just make sure you have all three NAT settings ticked in Firewall: Settings: Advanced
and create a nat port forwarding rule for what you want make sure nat reflection is ticked in the rule. and auto create a filter rule too.
if you've done it right you'll see the rule in the Firewall: Rules: Floating bit.
make sure its top of the rules.
thats what i've got and it now worked. hopefully it does for you
-
awesome. glad it worked for you! :)