Hey Folks - I'm switching over to opnsense and it's been pretty painless.
The port forwards are setup and firewall rules. External access seems to be working fine.
My domain name and subdomain point to my public IP and NPM.
I can't seem to get internal lan access working to my domain / subdomains.
I found a bunch of posts about using unbound overrides to fix this but it doesn't seem to be working. Seems pretty straight forward but I must be missing something.
Hey,
either use NAT Reflection: https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Split DNS Zone: (But not with unbound overrides, they can be a bit unreliable. Better with something like BIND that can do proper authoritative zones)
Or even better use a modern reverse proxy directly on the OPNsense:
https://docs.opnsense.org/manual/how-tos/caddy.html
Thanks. I have "Reflection for port forwards" ticked in the advanced firewall settings.
NPM is running on a vm in my lab. I saw that there is an option built into opnsense - I dont like to keep all my eggs in one basket.
I tried the suggestions in the provided link but still no luck.
I got this working. I ticked "Automatic outbound NAT for Reflection" under advanced firewall settings. That's in addition to "Reflection for port forwards"
No other reflections or hairpin or unbound setup was needed after that.
I'll monitor for a day before marking this as solved.
Yes you need that since your client that tested the connection and your NPM server are most likely in the same subnet. Thats why these Source NAT rules are needed.
If they would be in different routed subnets, that setting would not be needed.