Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Half of requests block from internal host to itself - rdr rule
« previous
next »
Print
Pages: [
1
]
Author
Topic: Half of requests block from internal host to itself - rdr rule (Read 1562 times)
francisaugusto
Newbie
Posts: 19
Karma: 0
Half of requests block from internal host to itself - rdr rule
«
on:
November 20, 2023, 10:27:56 am »
Hi,
I have a setup where I have port forwarding setup for port 443 to my reverse proxy on one of my vlans.
The thing is that when my host send a request to the port 443 my WAN address, half of the time I get the request, half of the time I get connection refused.
It goes like this:
✘ francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
#works
francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
# works
francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
#works
francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl
https://auth.mydomain.com/realms/mydomain/account
# works
Basically, every other request goes through.
When the connection is refused, I see a blue line log on firewall where the label says "rdr rule".
What can I do to fix this?
«
Last Edit: November 20, 2023, 10:35:26 am by francisaugusto
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6832
Karma: 574
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #1 on:
November 20, 2023, 11:06:54 am »
Does auth.mydomain.com resolve to two different IP addresses?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #2 on:
November 20, 2023, 11:12:23 am »
nope!
host auth.mydomain.com
auth.med-lo.eu has address XX.XX.XX.XX <--- my wan address
Logged
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #3 on:
November 20, 2023, 11:24:33 am »
I just realized now that this applies to all traffic to port 443 originating from the same vlan.
In short: when sending a request to port 443 of my WAN address from any host in the vlan where the port forwarding rule to port 443 sends traffic to, this happens. Half of requests goes through, half doesn't.
Is this a bug? Is there a way where I can override this behavior?
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #4 on:
November 20, 2023, 11:27:18 am »
Maybe hitting OPN UI intermittently. Did you disable the UI redirection on the port 443?
Logged
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #5 on:
November 20, 2023, 11:30:46 am »
yes, it is disabled, and I use another port for the UI.
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #6 on:
November 20, 2023, 11:57:38 am »
So you are testing from an inside VLAN, not from the outside. I didn't get that from the first post.
I would try changing the reflection setting in the nat:port-forward rule. I'm not 100% on that setting but I had trouble with a rule and had to change reflection from default to disabled. It fixed my problem but I can't explain it.
Logged
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #7 on:
November 20, 2023, 12:32:46 pm »
It doesn't help - if I disable it, I get no traffic at all from my vlan that is sent to WAN at port 443.
Logged
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #8 on:
November 20, 2023, 01:04:22 pm »
Things I tried so far:
- access from another host on the same vlan: same problem
- use another server instead of nginx, on another port: same problem
- disable nat reflector on the 443 port forwarding: no traffic from my vlan goes through, only external traffic.
Logged
francisaugusto
Newbie
Posts: 19
Karma: 0
Re: Half of requests block from internal host to itself - rdr rule
«
Reply #9 on:
November 20, 2023, 01:33:25 pm »
This is not a solution, but overriding the hostname internally via DNS seems to solve the issue. But I'd rather not do it since I'd have to do it for every domain name.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Half of requests block from internal host to itself - rdr rule