Half of requests block from internal host to itself - rdr rule

Started by francisaugusto, November 20, 2023, 10:27:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 20, 2023, 10:27:56 AM Last Edit: November 20, 2023, 10:35:26 AM by francisaugusto
Hi,

I have a setup where I have port forwarding setup for port 443 to my reverse proxy on one of my vlans.

The thing is that when my host send a request to the port 443 my WAN address, half of the time I get the request, half of the time I get connection refused.

It goes like this:

✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account #works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account # works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account #works
francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account
curl: (7) Failed to connect to auth.mydomain.com port 443: Connection refused
✘ francis@nginx $ curl https://auth.mydomain.com/realms/mydomain/account # works

Basically, every other request goes through.

When the connection is refused, I see a blue line log on firewall where the label says "rdr rule".

What can I do to fix this?
November 20, 2023, 11:06:54 AM #1
Does auth.mydomain.com resolve to two different IP addresses?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 20, 2023, 11:12:23 AM #2
nope!

host auth.mydomain.com
auth.med-lo.eu has address XX.XX.XX.XX <--- my wan address
November 20, 2023, 11:24:33 AM #3
I just realized now that this applies to all traffic to port 443 originating from the same vlan.

In short: when sending a request to port 443 of my WAN address from any host in the vlan where the port forwarding rule to port 443 sends traffic to, this happens. Half of requests goes through, half doesn't.

Is this a bug? Is there a way where I can override this behavior?
November 20, 2023, 11:27:18 AM #4
Maybe hitting OPN UI intermittently. Did you disable the UI redirection on the port 443?
November 20, 2023, 11:30:46 AM #5
yes, it is disabled, and I use another port for the UI.
November 20, 2023, 11:57:38 AM #6
So you are testing from an inside VLAN, not from the outside. I didn't get that from the first post.
I would try changing the reflection setting in the nat:port-forward rule. I'm not 100% on that setting but I had trouble with a rule and had to change reflection from default to disabled. It fixed my problem but I can't explain it.
November 20, 2023, 12:32:46 PM #7
It doesn't help - if I disable it, I get no traffic at all from my vlan that is sent to WAN at port 443.
November 20, 2023, 01:04:22 PM #8
Things I tried so far:

- access from another host on the same vlan: same problem
- use another server instead of nginx, on another port: same problem
- disable nat reflector on the 443 port forwarding: no traffic from my vlan goes through, only external traffic.

November 20, 2023, 01:33:25 PM #9
This is not a solution, but overriding the hostname internally via DNS seems to solve the issue. But I'd rather not do it since I'd have to do it for every domain name.
Print
Go Up Pages1
User actions