Messages

1

24.1 Legacy Series / Re: NAT reflection with reverse proxy running on OPNsense

« on: March 26, 2024, 09:05:34 pm »

Okay that last one turned out to be an easy fix (I should do less network stuff when tired). All that was needed was a rule on the LAN interface that specified WAN1 as the gateway for any traffic to the IP of my domain (and for this, one can use an Alias).

It works as intended now.

2

24.1 Legacy Series / Re: NAT reflection with reverse proxy running on OPNsense

« on: March 25, 2024, 10:32:42 pm »

Okay so as it turns out, when both the upload as well as the download showed up on WAN1 yesterday, this actually meant that nothing was leaving the firewall and the traffic was instead being routed internally (turns out it probably would have been impossible otherwise after all, I feel less stupid now ).

I was able to verify this by checking the logs of the upstream DSL modem/Router. It also means that I need to tweak the settings of my Sharry webservice, because it currently doesn't seem to allow very fast upload speeds, which is why I didn't immediately notice. Anyway, that's a problem for another day.

There is still one issue with OPNsense however, it only seems to do this sometimes, other times it will still use WAN2 for the upload and in that case I can that the traffic is in fact being routed through the internet. Any ideas on how I can tell OPNsense not to use WAN2 in this case? Thanks for your help.

3

24.1 Legacy Series / Re: NAT reflection with reverse proxy running on OPNsense

« on: March 24, 2024, 09:59:51 pm »

I played around with your suggestion a bit and unfortunately it doesn't seem to fix the issue.

I was however able to observe that enabling the rule on WAN1 as well as WAN2 somehow results in the upload and the download being sent through WAN1, which I thought was impossible and the entire reason for NAT reflection existing. Oh well.

4

24.1 Legacy Series / Re: NAT reflection with reverse proxy running on OPNsense

« on: March 24, 2024, 08:18:44 pm »

Why do these connections route through the internet?

That's the million dollar question I guess. I can see the traffic exiting on WAN2 and coming in on WAN1 in the dashboard when uploading files to my Sharry filesharing service (also, the transfer speed matches with the upload speed of WAN2).

Could it be a DNS issue? I am currently running AdGuard via the OPNsense plug-in, however I am aware that this is technically not best practice.

5

24.1 Legacy Series / NAT reflection with reverse proxy running on OPNsense

« on: March 24, 2024, 07:02:42 pm »

Hi,

I am running a NGINX reverse proxy on OPNsense with Let's Encrypt certificates (via the ACME Client) to be able to access various services from the internet, which works well.

However, I have the issue that I simply can't seem to get NAT reflection to work properly. Now, I can still my services using their external domain from the WAN network, but that is only because I am using two physical internet connections (with load balancing & failover), so every time I try to do this, the traffic exits via WAN2 and comes back in on WAN1 after routing through the internet. This is obviously not ideal, especially for large file transfers. Note that my externally offered services all go through WAN1, since WAN2 is a cable connection without a dedicated IPv4 address.

My issue is that all guides seemingly assume that the reverse proxy is running on another IP address on the WAN network, which would allow to route the traffic there - however that is of course not the case for me. I also tried to solve this via DNS rewrites, but pointing it to the IP of the reverse proxy (i.e. the internal IP of OPNsense) didn't work.

What am I missing?

Thanks in advance for your help.