NAT reflection + HA proxy setup question

Started by securid, January 20, 2024, 10:35:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 20, 2024, 10:35:14 AM
Will this: https://forum.opnsense.org/index.php?topic=23339.0

work properly with NAT reflection and a s2s over wireguard (between 2 opnsense firewalls)?

Story:
Before I start fiddling for hours and banging my head against the wall, I started searching for an answer. I can't figure out whether what I want will actually work. Hopefully someone can help me with an answer?

I have a whole bunch of web services, mostly running from a single docker host. Its setup with nginx-proxy for automated certificate handling. It has become increasingly more important and I need to change it to a HA setup. Furthermore, I have split DNS and NAT reflection setup. Some of these services are meant to be reachable from the outside, others are internal only.

Then some services run from a Pi or some other host, and getting them to renew certificates is cumbersome, as I have to manually disable one port forward and enable another, run the renewal and set it back.

And then yet another few services are offsite, accessible via s2s wireguard. I currently have a second nginx-proxy container running there specifically for the services running over there.

If I would setup HA proxy following that guide, it would ease my life considerably if that worked for what I need. Will that work in my setup with NAT reflection and the s2s? I would remove nginx-proxy with acme sidecar everywhere, I could use some random high ports on the docker containers and setup firewall rules to prevent hitting those services directly. All traffic would then be handled by HA proxy on OPNsense. Does it complicate things considerably compared to the guide?
January 20, 2024, 12:32:32 PM #1 Last Edit: January 29, 2024, 09:04:38 AM by Monviech
If you use a reverse proxy directly on the firewall you don't need NAT reflection.

Your Firewall will listen on the actual external IP address, so there is no NAT for any request that gets handled by the reverse Proxy directly.

It will receive the traffic and pass it to the backend target that has been specified.

That means Split DNS for a Reverse Proxy is also not necessary, because the external IP address will be answered by the reverse Proxy without being NATed.
Hardware:
DEC740
January 20, 2024, 05:03:30 PM #2
Thanks. I never really thought about it and I enable NAT reflection by default because at one point I actually needed it but never reconsidered why I still have enabled. Turns out I don't actually need it at all ;D

The guide I linked explains split DNS or NAT reflection is required when accessing a public service internally.

After reading your reply, I disabled NAT reflection, rebooted and removed the DNS overrides. I tested it and it resolves to public IP. The webpage still loads up, and with the new wildcard certificate that I created during the guide. It seems you are right and "it just works". Neither options are actually required.

I also just realized I can  move the services one at a time, so i'll migrate them gradually over to HA Proxy.
Print
Go Up Pages1
User actions