hi,
So I have a specific problem which involves NAT Reflection for a vpn link.
This vpn link is not equiped with a private ip but a public routable ip totally open in terms of port.
So an outbound Nat has been activated on the interface associated to this link.
To link my self-hosted VMs, it's going through internal qemu networks linked to the opnsense VM
So there is an interface between the guests and the vpn link interface.
client at 172.20.0.33 -> interface dhcp 172.20.0.31 -> interface openvpn link with the public ip.
I didn't notice at first the NAT reflexion parameters so it was not activated when I did the prot forwarding but even so it has apparently little importance.
The port forwarding is working great.
The problem is the NAT Reflexion. I can't do a curl from inside the client to the public ip (which means reaching the client itself) and so I can't make certbot from let's encrypt work.
I'm sure it's the NAT Reflexion since we did some testing and by adding a line to /etc/hosts.conf in this debian VM to the actual domain, I have been able to create a certificate. So the problem is not between the Let'sEncrypt servers and the client but well with the client being able to communicate with itself.
Apparently the parameters when activated, don't do a thing.
I don't see any new rules, I tried to recreate one with the port 80 and 443 but it did the same as before.
I know that some will advise to do splitDNS but before you advise that I suggest you do read about yunohost project.
If you read it carefully you will I think clearly understand why create a dozen of zones files with only one to 3 records in it it's more of a hassle. Plus we should be able to rely on NAT Reflexion too even if some of you don't like it.
So what am I missing here? Which rules or parameters should I activated? Is the problem that here are 2 interfaces here ? or is it something else?
Thanks in advance
or at least can someone from the team explain how they implemented the NAT reflection and what's its limitaitons?
so for now, my tcpdump looks like that when I try to reach from the vm to the same VM with a curl command but going through nat reflection of opnsense
Can someone tell me what's wrong?
20:35:00.103266 IP (tos 0x0, ttl 64, id 36664, offset 0, flags [DF], proto TCP (6), length 60)
random.io.33302 > galene.random.io.http: Flags [S], cksum 0xb243 (incorrect -> 0x53ff), seq 1243147436, win 64240, options [mss 1460,sackOK,TS val 2966215938 ecr 0,nop,wscale 7], length 0
20:35:01.105994 IP (tos 0x0, ttl 64, id 36665, offset 0, flags [DF], proto TCP (6), length 60)
random.io.33302 > galene.random.io.http: Flags [S], cksum 0xb243 (incorrect -> 0x5014), seq 1243147436, win 64240, options [mss 1460,sackOK,TS val 2966216941 ecr 0,nop,wscale 7], length 0
20:35:03.122008 IP (tos 0x0, ttl 64, id 36666, offset 0, flags [DF], proto TCP (6), length 60)
random.io.33302 > galene.random.io.http: Flags [S], cksum 0xb243 (incorrect -> 0x4834), seq 1243147436, win 64240, options [mss 1460,sackOK,TS val 2966218957 ecr 0,nop,wscale 7], length 0
20:35:07.346054 IP (tos 0x0, ttl 64, id 36667, offset 0, flags [DF], proto TCP (6), length 60)
random.io.33302 > galene.random.io.http: Flags [S], cksum 0xb243 (incorrect -> 0x37b4), seq 1243147436, win 64240, options [mss 1460,sackOK,TS val 2966223181 ecr 0,nop,wscale 7], length 0
so no one has ever tried NAT reflection through vpns ? or noone wants to answer me ?