external ip links to opnsense router.

[kaneelschep]

Hi all.

I was using ipfire and it all worked fine.
But I was using usb lan for the lan on that thin client. As it has no pcie.
And it all just felt a bit laggy.

Now I got this other thin client with pcie and 2port intel lan card. And thought lets try some other router options on this.

So i installed opnsense. updated and started to set my port forwarding.
I can see the port is open on https://www.yougetsignal.com/tools/open-ports/ But it just wont go to that internal ip/my nas.
So I tried to just open my external ip without ports. And see it links to the opnsense router itself.

That cant be right.
Am I missing something here?
how do I change this?

Thanks!

[kaneelschep]

I read people having issues with latest version 21.7.6. Were 1 person solved his issues by reverting to 21.7.5.
So i tried that, and all my port forwards suddenly worked.
Also it does not link to opnsense with external ip.

So maybe there is something wrong with 21.7.6?

Thanks!

[kaneelschep]

I was too quick with joy. It still lets the webgui exposed under wan ip.
I reinstalled and it did this immediately.
Its unusable like this.
What could there be wrong?

[cookiemonster]

What is the question? Maybe it is just me but it seems unclear what you are asking or what seems to be the problem now that you are back on 21.7., and how have you troubleshot "the problem".

[kaneelschep]

Yes.. i wasnt very clear.
I was new to opnsense and after setup i found port forwards not working and external ip leading to router.
This confused me and i just didnt have the time to check what is what.
Yesterday night i had some time time to test and set up again. Cause who does not do this on christmas night, right?

So from an external ip it does not go to router and port forwards work fine.
But from internal ips, i cannot reach my server over external ip. Because the external ip keeps leading me to the router. Or when i use ports, it just doesnt find anything.

This is very annoying, since i use my external ip through my domain a lot on the phones, to reach my server. And i dont want to keep switching between using the internal and external ip to connect to my server.
As i use 4g next to the wifi a lot, i just always use external ip through domain to connect to server.

Is there an option i missed to turn this off easily?
I just want to be able to reach my server over external ip from my lan. Instead of being lead to the router.

Thanks!

Thanks!

[jp0469]

Based on your description, it feels like the port forward rules are misconfigured. Can you post an example of your rules?

[kaneelschep]

I used this
https://forum.opnsense.org/index.php?topic=8783.0
- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200

- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP

Under Source > Advanced:

- Source / Invert: Unchecked
- Source: Any
- Source Port Range: any to any

- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 3200 to (other) 3200

- Redirect target IP: Alias "media-server"
- Redirect target Port: (other) 3100

And the port forwards work fine.
My server and all its different services and ports are accessible from anywhere outside of the Lan through my domain name:port.
Just not on the lan. On the lan I can only reach them through internal IP: port.
Domain name: port will go to page unknown. Domain name: NO port, will lead to opnsense router admin page.

[jp0469]

Thanks for explaining that a little more. I think you need to enable NAT Reflection on your rule if you haven't already. It's near the bottom of the rule setting page.

[kaneelschep]

I have been reading about Nat reflection.
But this is a solution for a problem that shouldnt exist.

I dont want it to redirect to lan IP.
I just want the router to let me load the stupid external website. Even though this is actually a server on my own lan.
Who is this router to tell me I should use the internal IP instead of the external.

External IP should just lead me to exactly that. The external IP.
Not to the router opnsense admin page.

That is the problem here.

[jp0469]

It seems like you're asking for one thing and expecting something else.

I dont want it to redirect to lan IP.

Of course you do. Your server only has an IP on your LAN. The only connection between your external IP and the server is the router performing NAT based on correct forwarding rules.

Do you have a hostname/domain set up for your server? If so, you can create a DNS override in OPNsense (Unbound probably) that goes directly to your server's LAN IP.

[cookiemonster]

To add to that,do you have a pubic domain ie that resolves on the open internet domain name system to your public ip address? If yes, then as pointed out you could use unbound or dnsmasq to get your internal (LAN) clients resolve to the local (LAN) ip address of your server.
The principle is the same one though, you want your lan clients to go to the local ip of the server. Let's say you run your web server (assuming that is what it is) on port 8080. The server has a lan ip of 192.168.1.200
A local client on the same lan segment with an ip of 192.168.1.5 when trying to go to the server needs to go to the ip:port as you have found. The router/firewall works on ip and ports.
If you enter your webserver name for example mymedia.kaneelschep.com on the client, it needs to know what ip it has, so it goes out to the open internet to ask a DNS server (that you have configured) and it gets your public ip address say 95.399.33.5. There you have gone from inside to outside and back at the WAN address. Here is where your firewall rules, NAT and port forwards kick in.

[kaneelschep]

Ok. I am obviously not as well trained in this kind of stuff as you. And I can only say it in simple terms.
So forget my rant.

But just tell me this.
1. Doesnt it sound logical to expect the phones/pcs on the lan to behave the same as for instance phones outside off the lan? They both have access to the same internet. and both only have to open a link on the internet with a port. I would think it being a link to my own lan would be unimportant here.
I feel it shouldnt matter if this is on my internet or 4g internet. Internet seems internet.  and link seems link.
You get my drift?

2. Why does ipcop or ipfire or any other router i have ever used, never had this 'issue'?
If this is because it automatically does nat reflection, then ok.
But for me, logically, this is weird.

I turned on: firewall / nat / advanced
Reflection for port forwards    
It didnt help.

Then I also turned on:
Automatic outbound NAT for Reflection    
Now my external ip:port directs to my server from lan too.

Thanks for the patience btw