Unbound DNS override and firewall rules

[TheToto318]

Hello everyone,

I just setup'ed my new opnsense firewall on my network and I would like to acces my domain name from my LAN when my internet is down.

For the exemple my domain name is : test.ovh
My host ip is : 192.168.1.25

So I made a unbound DNS override rule to link my domain name to my host local ip. Everything is working, I get a ping...

My nginx reverse proxy run on the port 4443 so i made a rules same as my WAN interface to redirect all the HTTPS traffic to this port.



Thats were I got a problem, it is not working, failed connection on firefox.

If anyone have an idea i don't know what I am doing wrong.

Regards,
Thomas

[Quetschwalze]

Is your client on the same subnet as your NAS device? I would assume that you are not traversing the firewall for a local connection to your NAS and therefore this is not working.

Gesendet von meinem MI 9 mit Tapatalk

[TheToto318]

I'm on the same subnet, I made this rules just because the HTTPS requests has to be redirceted to the port 4443 of my host

[Fright]

"For the exemple my domain name is : test.ovh
My host ip is : 192.168.1.25"
192.168.1.25 - is ip of  opnsense or target server?

[TheToto318]

Its the target server.

To make it simple i would like to redirect all the HTTPS LAN traffic that have my target server for destination to this same server but on port 4443.

If I make "https://test.ovh:4443" it is working.

[Quetschwalze]

I'm on the same subnet, I made this rules just because the HTTPS requests has to be redirceted to the port 4443 of my host

Yes, that's the issue. If you are on the same subnet your packets to the server are never traversing the firewall as no routing is needed. You can either solve this by moving your server to another subnet or your clients and let the firewall route between those (as it's doing for the wan side as well)

Gesendet von meinem MI 9 mit Tapatalk

[Fright]

Its the target server.

To make it simple i would like to redirect all the HTTPS LAN traffic that have my target server for destination to this same server but on port 4443.

If I make "https://test.ovh:4443" it is working.

so your local dns shoud point test.ovh record to opnsense lan ip.
and you dont need redirect rule if you use nginx to proxy request. since by default opnsense allow all traffic from lan subnet to lan interface, you only need dns resolve to lan interface of opnsense

[TheToto318]

test.ovh point to my target host not my opnsense host.
If my nginx reverse proxy on my nas runned on the port 443 I would not have any problem but It run on the port 4443. So I need something to redirect the traffic.

The solution would be like Quetschwalze said to change my NAS of subnet (on the WAN for exemple) but I don't want to, he serve as a dhcp client and i have a lot of services running on it and I don't want to make a rule for each.

[Fright]

oops. i thought that nginx is running on opnsense )
so. whatever. dns should still point to opnsense lan IP. then opnsense can forward traffic from 443 on lan intreface to 4443 on nas (with rdr rule you already have. but Destination should be "LAN Address" or "This firewall")

but in this case nas will reply directly to the client because nas and client are on the same subnet.

you can install nginx plugin on opnsense and stream traffic from 4443 to 443 on nas (in this case trafic will be terminated on opnsense NAS will communicate with opnsense)

[TheToto318]

Will try do do that thanks

[TheToto318]

Hey Fright,

I made the same rule on port forwarding but changed the destination to LAN adress.



It's again, not working. I really don't understand why

[Fright]

is DNS resolves test.ovh to opnsense lan ip?
you dont need forward request, you need terminate sessions and establish new one.
so you need some reverse proxy or stream (nginx\haproxy)

[TheToto318]

Hey,

Problem fixed with a nginx reverse proxy !

[Fright]

wonderful )

[Sekhwek]

Excellent thread! Thank you!
  emotional shayari