Local services work... but only through wan [SOLVED]

[DenisJosh]

Hi there all,
this days I just installed OpenSense on a PC with 6 X LAN interface.

I have in my home some services that I use when I'm outside
But I use same services also when I'm at home.

The situation that I have is:

Code Select Expand


LAN1 - for home PC (192.168.1.x)
LAN2 - for all WiFi thinks (192.168.2.x)
WAN1 - for 5G FWA connect (192.168.100.x)
WAN2 - for ADSL connect (192.168.200.x)

On LAN1 I have a server that run Nginx Proxy Manager that receive (port 443, 80) the request from outside,
and send the request on various services inside my home.

When I call a service from outside all work very well.
But when I call a service from inside my home, it's work, but some service ask me a user and password like I'm outside of my home.

So in this case I make a tracert in order to see witch is the way that connection do.
Here is the result:

Code Select Expand


C:\Users\denis>tracert service.casamia.com

Traccia instradamento verso casamia.com [4.44.2.22]
su un massimo di 30 punti di passaggio:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     1 ms     1 ms     1 ms  192.168.100.1
  3    69 ms   314 ms    82 ms  151.5.187.213
  4    30 ms    36 ms    30 ms  10.75.83.65
  5    38 ms    21 ms    35 ms  151.7.50.216
  6    31 ms    32 ms    27 ms  151.6.3.182
  7    28 ms    21 ms    93 ms  151.6.1.180
  8    61 ms    49 ms    34 ms  vodafone.mix-it.net [217.29.67.29]
  9   142 ms    95 ms    26 ms  185.210.48.38
10    41 ms    35 ms    92 ms  10.177.82.144
11    44 ms   139 ms    45 ms  10.177.82.144
12    81 ms   127 ms    56 ms  192.168.150.6
13    36 ms    39 ms    31 ms  net-4-44-2-22.cust.vodafonedsl.it [4.44.2.22]

Traccia completata.


I also use Pihole on my DHCPv4 connections,
than Pihole upstream versus Unbound DNS (inside OpnSense)

In Unbound DNS I have ticked
Register DHCP Leases and Register DHCP Static Mappings.
I have also put my casamia.com in the  System: General setup.

It seems little complicated, but surely with little help of some of you,
maybe I can solve this problem.

Thanks all in advance
Denis

[DenisJosh]

Someone there can give me al last little idea please ? :-)

[cookiemonster]

you should read about hairpinning https://forum.opnsense.org/index.php?topic=34925.0 but also if you are using names to reach services, you might need to use host overrides if you are using unbound. Searching the forum for host override, or online for split horizon should give you some solutions.
It seems your client is going out to the open internet and back in, and possibly reaching the service on a different LAN. Hint is generic because your post is also generic ;)
I mean your trace begins on 192.1681.1 which I assume is your OPN router shell, and comes in 1eventually in 192.168.150.6 that is another Class C i.e. internal to your network(s) before hitting a public ip.
You are on the right thinking. The request starts internally and hits the service NOT internally. You need to think based on your setup, which path it is taking and correct that. That's where NAT, reflection and such techniques are used to keep them internal.

[DenisJosh]

Thanks a lot for your answer
I found this link (https://docs.opnsense.org/manual/how-tos/nat_reflection.html) that I'll study and I hope I'll resolve the issue.

In the mean time I understand an important think...

The DNS setting of casamia.com send the request to my WAN2 interface IP.
(this because the ADSL line (WAN2) is more stabile than the FWA (WAN1) line)

So if I stop the WAN1 gateway and I use the WAN2 gateway (ADSL) for the connection
in this case the tracert use only 2 points:

Code Select Expand


C:\Users\denis>tracert  casamia.com

Traccia instradamento verso casamia.com [4.44.2.22]
su un massimo di 30 punti di passaggio:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     1 ms    <1 ms    <1 ms  net-4-44-2-22.cust.vodafonedsl.it [4.44.2.22]



Now in OpenSense I use a failover gateway (2 x WAN)
in order to have the connection from myhome versus internet using ADSL(WAN2) if FWA(WAN1) is stop.

So I have a new question if I can permit...
Is possible to build a failover also from internet versus myhome ?
I use Cloudflare DNS... maybe I can make a script that update the DNS Cloudflare IP with the actual WANx connection IP.

Thanks a lot for the help.
Denis

[cookiemonster]

Unless you provide specifics, you'll have to do with non-specific answers ;) .
If you have your own domain like DennisJosh.com and services hanging off that domain like like ServiceA.DennisJosh.com:443 then your INTERNAL domain name resolution (pihole, Unbound) will be needed to return a local ip to INTERNAL queries, so that the request does not go out to the internet and back in.

[DenisJosh]

I used the Unbound service and I put the services names in the Host Overrides.
And now all the local services it's work :-)

Thanks a lot for the help
Denis