16
General Discussion / help with NAT and port forwarding
« on: May 21, 2022, 06:45:48 am »
Hello, I am probably just misunderstanding how network should work and I would like some help.
I have 2 separate networks living on separate vlans, opnsense is router on both vlan and gateway to internet as it's the only one connected to my ISP box. Lan1 is 10.0.10.0/24 lan1 is 10.0.20.0/24
I run gitlab with a container registry on 10.0.10.10 and have it properly exposed to internet with a fqdn, certificate, and port forwarding.
Now when I pull from this repository I use it's public name which returns my wan address, and it works fine when Ithe computer that pulls is itself on internet, works fine as well if the computer is on lan2 10.0.20.101 for instance.
But it simply times out when I use it from any host on 10.0.10.0/24, except for 10.0.10.10 itself as for him I probably put something in etc hosts to use the local loopback for all registry.gitlab.example.com
My understanding is that on 10.0.20.101 when I pull from registry.gitlab.example.com it sends out packets to my public IP, Port forwarding works fine and opnsense is probably doing NAT automatically. As you can see my understanding is probably incomplete here.
But from 10.0.10.101 when I try to pull from registry.gitlab.example.com, my understanding is that TCP packets go out to my public IP, they are properly send by opnsense to 10.0.10.10 using my Port forwarding as I see them arrive on the 10.0.10.10 server in the gitlab logs. But I guess 10.0.10.101 revives an answer directly from 10.0.10.10 for a TCP session it's trying to open with a public IP so it gets confused and just ignore the answer from 10.0.10.10 wait for an answer from a public IP that never arrives as it was just ignored.
Maybe my understanding is wrong but I welcome any help.
I do have a similar issue for other services that run on the same server on lan2.
I would really like my computers to all use DNS names and use the same names regardless of which network they are connected to, and I would rather have it done with NAT correctly and hopefully avoid having to run a DNS that manages to give different answers to the same query depending on who's asking.
I have tried to add a manual NAT rule on lan2 for my public IPs, it didn't seem to work, maybe because it's not the good solution, maybe because I have several WANs so several public IPs that I keep in a hosts alias (NAT rules should work with aliases, no?)
My gut feeling is really that NAT is the issue but I can't get my head around a solution. I like that no nat is performed between lan2 and lan1 so logs in gitlab show the real IP of the user, but I think within lan1 I need something so both the IP request and answer go through the gateway and not directly between the hosts probably staying on the switch. Or at least find something to not ignore the response;)
Any help is welcome;)
Thanks in advance !m and thanks for reading;)
I have 2 separate networks living on separate vlans, opnsense is router on both vlan and gateway to internet as it's the only one connected to my ISP box. Lan1 is 10.0.10.0/24 lan1 is 10.0.20.0/24
I run gitlab with a container registry on 10.0.10.10 and have it properly exposed to internet with a fqdn, certificate, and port forwarding.
Now when I pull from this repository I use it's public name which returns my wan address, and it works fine when Ithe computer that pulls is itself on internet, works fine as well if the computer is on lan2 10.0.20.101 for instance.
But it simply times out when I use it from any host on 10.0.10.0/24, except for 10.0.10.10 itself as for him I probably put something in etc hosts to use the local loopback for all registry.gitlab.example.com
My understanding is that on 10.0.20.101 when I pull from registry.gitlab.example.com it sends out packets to my public IP, Port forwarding works fine and opnsense is probably doing NAT automatically. As you can see my understanding is probably incomplete here.
But from 10.0.10.101 when I try to pull from registry.gitlab.example.com, my understanding is that TCP packets go out to my public IP, they are properly send by opnsense to 10.0.10.10 using my Port forwarding as I see them arrive on the 10.0.10.10 server in the gitlab logs. But I guess 10.0.10.101 revives an answer directly from 10.0.10.10 for a TCP session it's trying to open with a public IP so it gets confused and just ignore the answer from 10.0.10.10 wait for an answer from a public IP that never arrives as it was just ignored.
Maybe my understanding is wrong but I welcome any help.
I do have a similar issue for other services that run on the same server on lan2.
I would really like my computers to all use DNS names and use the same names regardless of which network they are connected to, and I would rather have it done with NAT correctly and hopefully avoid having to run a DNS that manages to give different answers to the same query depending on who's asking.
I have tried to add a manual NAT rule on lan2 for my public IPs, it didn't seem to work, maybe because it's not the good solution, maybe because I have several WANs so several public IPs that I keep in a hosts alias (NAT rules should work with aliases, no?)
My gut feeling is really that NAT is the issue but I can't get my head around a solution. I like that no nat is performed between lan2 and lan1 so logs in gitlab show the real IP of the user, but I think within lan1 I need something so both the IP request and answer go through the gateway and not directly between the hosts probably staying on the switch. Or at least find something to not ignore the response;)
Any help is welcome;)
Thanks in advance !m and thanks for reading;)