Reverse proxy and opnsense issues from local network

[Xumepoc]

Hi,
First if that topic is already covered, excuse me. I did a search but nothing exactly the same as my issue (most are  due to IPS restrictions).

My setup

I have a opnsense router with 4 ports, one for WAN and three for LAN connections. I have a second machine with nginx acting as reverse proxy and web server with Let's Encrypt cerbot. The third machine is a Proxmox server with some VMs. The second machine, the third machine and some of the VMs have their own web addresses with url hostnames  - web.myhost.com, vm.myhost.com, etc.

Accessing all of these machines works just fine from outside the network. But if I try to access any of the machines in the network from within using the url hostnames (web.myhost.com for example) I get "A potential DNS Rebind attack has been detected." and Opnsense webpage.

If I activate the 1:1 option in the firewall, I can access the machines from within, but they now lose access to outside the network (I can't update them for example). I can still access them from outside of the network.

Is this a reverse proxy configuration issue or opnsense configuration issue?

[muchacha_grande]

Hi, I just searched for "DNS rebind attack" and found this issue marked as solved https://forum.opnsense.org/index.php?topic=14088.0.

[Xumepoc]

Unfortunately I already read and tested the implementation but it did not fixed the issue. What happened when I added the alternate hostnames of the machines in the network was that doing this I exposed the opnsense login page to the outside when trying to access the machines using the url hostnames (web.myhost.com for example).

[morik_opnsense]

I have the same issue as well. Using caddy instead of nginx. Were you able to solve it? If so, how?

[Monviech (Cedrik)]

If you use a reverse proxy as additional VM behind the OPNsense, you need to use Reflection and Hairpin NAT in order to get it work from inside your network. Because when you open your external IP address from inside your network, the OPNsense thinks it has to answer it.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

As alternative if you use Caddy, you can also run that directly on the OPNsense (look at my signature). With that, you don't need any complicate NAT rules for things to just work. (I explained why here, when somebody asked that about HA Proxy and NAT https://forum.opnsense.org/index.php?topic=38239)