accessing service outside > perfect. Accessing same service inside > cert errors

[grahamj]

Good evening,

I'm coming from a very old Netgear Orbi setup and so please go easy on me. Have spent all day watching various tutorials and reading countless blogs/forums but still to no avail.

I have SeaFile in a docker container living on unRaid.
I have Nginx Proxy Manager sitting on the same unRaid server that handles certs and port forwarding.
I have a raspberry PI serving pi-hole in my network, which opnsense is using as the default DNS Server.
I use no-ip for DDNS and have configured this in opnsense with no issues.


My NAT Port Forward rule is:
Interface WAN
Address *
Ports *
Address WAN Address
Ports 443
IP (internal IP)
Ports (Internal NGINX port)

When I access this from my mobile phone, works a treat. I can access SeaFile from the cname record I've set up in no-ip without certificate issues.
When I try to access the same url from my desktop PC within the network I get "hmmmm.... can't reach this page"

From various threads and videos on the internet, I'm of the understanding my NAT > Port forward rule is the issue, I need to change NAT reflection. I have enable/disable/default as my options. It's set to enable by default.

When I change this to disable I get the following error message.

redacted-url uses encryption to protect your information. When Microsoft Edge tried to connect to redacted-urlthis time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be redacted-url, or a WiFi sign-in screen has interrupted the connection. Your information is still secure because Microsoft Edge stopped the connection before any data was exchanged.

You can't visit redacted-url at the moment because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

If, in Nginx Proxy Manager, I untick HSTS, I can bypass the certificate error and then I'm prompted with my OPNSense login page.

Any ideas what I'm doing wrong? If reflection is the issue it appears its not forwarding to the correct port.
SeaFile doesn't like being accessed from inside the network on a local IP address, and this has worked fine on Netgear Orbi before.

I read I could possibly add a custom DNS entry to raspberry PI, but since the container is using a bridge network it doesn't have its own IP address and there appears to be no options for ports.


Any help would be greatly appreciated.

[viragomann]

I read I could possibly add a custom DNS entry to raspberry PI, but since the container is using a bridge network it doesn't have its own IP address and there appears to be no options for ports.

This is the recommended method. But if you need port translation this is not an option for you. So yes, you will have to got with NAT reflection.

I guess, your NGINX proxy is in you LAN, as well as the devices, you want to access it from.
In this case you need to configure "Hairpin NAT".
How to do this is explained in the docs: Reflection and Hairpin NAT
You can configure one of the methods with outbound NAT. It's necessary, that the source address in natted packets to NGINX gets translated to the LAN address (S-NAT).

[dseven]

If your client is on the same LAN (subnet) as the proxy, you'd probably need both "Reflection for port forwards" and "Automatic outbound NAT for Reflection" enabled.

Before you do that, you probably want to change [System -> Settings -> Administration -> Web GUI -> TCP port] to something other than 443.

[grahamj]

Thank you both for the help and advice.
I tried options 2 & 3 from the linked article but some of the options did not exist for me (Firewall: Rules: Floating - Destination port range greyed out).

Curiously, I was going to try method 1, but instead decided to tick "Automatic outbound NAT for Reflection" just to see what happens, and it appears to have worked... in all but one instance.
I have several WAN facing services (all docker containers, all sharing the same IP address on my unRaid server, albeit all with different ports (obviously!)) and only the most important is still giving me hassle. Nginx has the rule blah.blah.com > local.ip.address.26 port 8083 and instead it's taking me to local.ip.address.26 - the front page of my unRaid server. Something I absoloutely do not want exposing to the wider internet.

In the last two days I've done a lot of messing around using this service as the test bed to get working. I'm guessing somewhere I've added a DNS forward or something. I've checked PiHole, nothing there. I did have a host override set in Services > Unbound DNS > Overrides, but have removed it and rebooted router, but still I keep going to this ruddy unraid page.

EDIT: It's started working now. With no changes. cache results maybe?

Thank you again for your help and support. Appreciate it very much
Are there any obvious locations I should be looking at? Or not so obvious you can think of?

On the plus side, all this fiddling around has given me some confidence with OPNSense, and I'm really liking what I'm seeing. I'm just scratching my head now.