OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • [Kinda Solved] NAT Reflection on Opnsense itself?
« previous next »
  • Print
Pages: [1]

Author Topic: [Kinda Solved] NAT Reflection on Opnsense itself?  (Read 822 times)

raldone01

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
[Kinda Solved] NAT Reflection on Opnsense itself?
« on: October 26, 2023, 03:30:53 pm »
Code: [Select]
      +------------------+
      | DNS              |
      | my.domain.com    |
      | A 193.222.222.22 |
      |                  |
      +-------+----------+
              |
      +-------+----------+
      |                  |     +-------------+
      | Internet         |     |             |
      | 193.222.222.22   +-----+             |   curl https://my.domain.com             -> Website of SERVER
      | +Public IP       |     | Internet PC |   curl https://193.222.222.22 --insecure -> Website of SERVER
      |                  |     +-------------+
      +------------------+
              ^
              |PPPOE WAN
              v
      +----------------+
      |                |  curl https://172.24.0.1     --insecure -> OPNSENSE WEB UI
      |  OPNSENSE      |  curl https://my.domain.com  --insecure -> Time out           I want this to yield the Website of SERVER
      |                |  curl https://193.222.222.22 --insecure -> Time out
      +-----+----------+
            |172.24.0.1/16
            +---------+
            |         |
+-----------+--+   +--+----------+
| 172.24.69.69 |   | 172.24.1.31 |  curl https://172.24.0.1     --insecure -> OPNSENSE WEB UI
|              |   |             |  curl https://my.domain.com             -> Website of SERVER
| SERVER       |   | PC          |  curl https://193.222.222.22 --insecure -> Website of SERVER
+--------------+   +-------------+

+--------------------------------------------------------+  +-------------------------------------------+
| NAT Port Forward                                       |  | Reflection for port forwards          OFF |
|                                                        |  |                                           |
| IF       Source       Dest           NAT          Port |  | Reflection for 1:1                    OFF |
|          Addr   Port  Addr     Port                    |  |                                           |
|                                                        |  | Automatic outbound NAT for Reflection OFF |
| LAN,WAN  *      *     WAN net  443   172.24.69.69 443  |  |                                           |
|                                                        |  |                                           |
+--------------------------------------------------------+  +-------------------------------------------+

+----------------------------------------------------------------------------+
| Outbound Hybrid NAT rule generation                                        |
|                                                                            |
| IF  Source   Source Port   Dest           Dest Port  NAT Adress   Nat Port |
|                                                                            |
| LAN LAN net  tcp/udp/*     172.24.0.0/16  tcp/udp/*  LAN address  *        |
|                                                                            |
+----------------------------------------------------------------------------+

I want to enable the nextcloud configuration backup option.
However my nextcloud server is behind opnsense.
Machines on the LAN and the internet can reach my nextcloud server.
Only opnsense itself is not able to contact it.

I have tried lots of different outbound and port forward rules.
I don't really know how to track down where it fails.

My WebUI only listens on the LAN interface.
I only listed settings I thought were relevant.
I can provide further information if needed.

Any help and direction is greatly appreciated.
« Last Edit: October 27, 2023, 10:08:24 am by raldone01 »
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1595
  • Karma: 176
    • View Profile
Re: NAT Reflection on Opnsense itself?
« Reply #1 on: October 26, 2023, 03:45:22 pm »
The reflection from the OPNsense itself doesn't work for this kind of traffic.

You either have to use IPv6 GUA as AAAA-Record (so you don't need NAT) or use a Split DNS Zone (aka, put an A-Record with the internal IP address of your Nextcloud Server in the nameserver the OPNsense uses. For example, enable unbound, make the opnsense use 127.0.0.1, and then set it as domain override)

Heres an analysis I did a while ago: https://forum.opnsense.org/index.php?topic=35521.0
Logged
Hardware:
DEC740

raldone01

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: NAT Reflection on Opnsense itself?
« Reply #2 on: October 27, 2023, 10:07:44 am »
Thanks for the info.
I noticed the loopback problem too.
I guess I will have to re enable split dns.
What a shame.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • [Kinda Solved] NAT Reflection on Opnsense itself?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2