Make OPNsense that is behind a FRITZBox reachable through internet

[steven11]

Hi,
I am trying to make my OPNsense reachable through the internet. Unfortunately my ISP forces me to use a FRITZBox as a cable modem and therefore the OPNSense is behind the FRITZBox (which can't be set to bridge mode!).

I set up a DNS A record at my hoster so that my internet address www.blablabla.de points to my static IP address (let's say 130.xxx.yyy.zzz).
In short, my network structure looks like this:

Internet --> FRITZ Box (WAN: 130.xxx.yyy.zzz; LAN: 192.168.178.1/24) --> OPNsense (WAN: 192.168.178.2/24; LAN: 192.168.0.1/24)


On the FRITZBox I added port forwarding for HTTP and HTTPS to my OPNsense.

Now, when I enter https://www.blablabla.de in Chrome, a page of my FRITZBox appears that the request was rejected because of DNS rebind protection.
Q1: shouldn't the FRITZBox already forward the request to my OPNsense?


Well, then I added www.blablabla.de as an exception to the DNS rebind rules. Now when I refresh the browser tab, it opens the login page of my FRITZBox???


Maybe I misunderstand something from the ground up, but shouldn't it forward the request to the OPNsense in this case and show me the login page of the OPNsense?
What am I doing wrong here?

Thanks, Steven

[Patrick M. Hausen]

That only works from outside your network - as far as I know the Fritzbox does not support hairpin NAT.

You could use a DNS override in e.g. Unbound to point to the private address of your OPNsense when you are connected to an internal network.

[steven11]

omg you are right! When I access the URL through my cell phone, it works :-)

I have Unbound running, but I have no clue about it...can you elaborate this?

[Patrick M. Hausen]

Services > Unbound > Overrides - create an entry for "www.blablabla.de" that points to the internal address of your OPNsense.

[steven11]

Thank you, it works now!