accessing service outside > perfect. Accessing same service inside > cert errors

[grahamj]

Good evening,

I'm coming from a very old Netgear Orbi setup and so please go easy on me. Have spent all day watching various tutorials and reading countless blogs/forums but still to no avail.

I have SeaFile in a docker container living on unRaid.
I have Nginx Proxy Manager sitting on the same unRaid server that handles certs and port forwarding.
I have a raspberry PI serving pi-hole in my network, which opnsense is using as the default DNS Server.
I use no-ip for DDNS and have configured this in opnsense with no issues.


My NAT Port Forward rule is:
Interface WAN
Address *
Ports *
Address WAN Address
Ports 443
IP (internal IP)
Ports (Internal NGINX port)

When I access this from my mobile phone, works a treat. I can access SeaFile from the cname record I've set up in no-ip without certificate issues.
When I try to access the same url from my desktop PC within the network I get "hmmmm.... can't reach this page"

From various threads and videos on the internet, I'm of the understanding my NAT > Port forward rule is the issue, I need to change NAT reflection. I have enable/disable/default as my options. It's set to enable by default.

When I change this to disable I get the following error message.

redacted-url uses encryption to protect your information. When Microsoft Edge tried to connect to redacted-urlthis time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be redacted-url, or a WiFi sign-in screen has interrupted the connection. Your information is still secure because Microsoft Edge stopped the connection before any data was exchanged.

You can't visit redacted-url at the moment because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

If, in Nginx Proxy Manager, I untick HSTS, I can bypass the certificate error and then I'm prompted with my OPNSense login page.

Any ideas what I'm doing wrong? If reflection is the issue it appears its not forwarding to the correct port.
SeaFile doesn't like being accessed from inside the network on a local IP address, and this has worked fine on Netgear Orbi before.

I read I could possibly add a custom DNS entry to raspberry PI, but since the container is using a bridge network it doesn't have its own IP address and there appears to be no options for ports.


Any help would be greatly appreciated.

[viragomann]

I read I could possibly add a custom DNS entry to raspberry PI, but since the container is using a bridge network it doesn't have its own IP address and there appears to be no options for ports.

This is the recommended method. But if you need port translation this is not an option for you. So yes, you will have to got with NAT reflection.

I guess, your NGINX proxy is in you LAN, as well as the devices, you want to access it from.
In this case you need to configure "Hairpin NAT".
How to do this is explained in the docs: Reflection and Hairpin NAT
You can configure one of the methods with outbound NAT. It's necessary, that the source address in natted packets to NGINX gets translated to the LAN address (S-NAT).

[dseven]

If your client is on the same LAN (subnet) as the proxy, you'd probably need both "Reflection for port forwards" and "Automatic outbound NAT for Reflection" enabled.

Before you do that, you probably want to change [System -> Settings -> Administration -> Web GUI -> TCP port] to something other than 443.