Unable to access internal webservers via OPNsense box, works for LAN and WAN

[blizzard4337]

Hey all,

I've been trawling looking for a solution to this for a while as I feel I've missed something very obvious but I'm at a loss to explain what it is.

My basic set up is a couple web servers behind an OPNsense router. All web traffic comes in to the router and is passed straight to the reverse proxy (nginx) sitting on another server.

I initially used NAT reflection, but later changed this to a hairpin NAT as per https://docs.opnsense.org/manual/how-tos/nat_reflection.html.

Right now I'm getting an odd error where I can access the webserver on the LAN via any device on the LAN, and I can access the webserver via a device not connected to the LAN (I can also access it via the couple VPN's I've been messing with). When trying to access it via the router it's unable to route to the right location, if I SSH in and use curl I can see that it's returning the DNS rebind error page. Router is happy accessing the internet, or being accessed by any device on the LAN.

I initially assumed that this was some weirdness where the router isn't technically on the LAN net, so tried setting up similar rules for that specifically but it's changed nothing.

There's a number of similar issues (only accessible externally not via LAN at all) but nothing that quite matches it - please point me at that post if I've missed it!

Thanks!

[bartjsmit]

I'm guessing it is DNS but you can check here: https://isitdns.com/ ;-)

Try hosts entries for your reverse proxy on a LAN device and check that it works. If you have another server, why not make it an authoritative DNS for your LAN?

[blizzard4337]

I was suspecting the same, but I'm starting to tear my hair out when it comes to why this is acting differently to every other device in and out of the network.

Spent longer than I care to admit swapping back to my old DNS set up (pi-hole on separate device as DNS server for the LAN) I've been using OPNsense for my DNS server since I set it up as it seemed to replace it and honestly do a better job.

So now I can see all network queries passing through the pi-hole, but OPNsense is still resolving every external domain to itself.

I assume I've messed up the hairpin NAT - but I've now gone through the process 3 or 4 times so I'm hoping if that's what I did wrong I'd have noticed it by this point.

Is there anyway that the OPNsense box treats itself as separate to the rest of the network it's on? I found "Do not use the local DNS service as a nameserver for this system" and made sure it's ticked (and tried it off as well just to make sure I wasn't misreading it).

[bartjsmit]

System: Settings: General

what setting do you have for 'Allow DNS server list to be overridden by DHCP/PPP on WAN'

Services: Unbound DNS: General

do you have unbound enabled?

I don't run any DNS service on OPNsense. It uses internal DNS from my authoritative internal servers only. Self-hosted FTW ;-)