Issue to reach Website hosted on internal DMZ

Started by Madifor, September 02, 2025, 09:11:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 02, 2025, 09:11:45 PM
Since some time i have a 2nd ISP Connection (Fiber) next to my current WAN connection.
The 2nd provider proviced a XGS-Pon Terminal (Fiber in -> 10gbit Coper out) and a Wifi modem/router
Created a gateway-group with ISP2 as Tier 1 and ISP1 as tier 2 , so by default all traffic goes to the internet using the 2nd Wan interface (isp)

The setup is then like the attachment "dual-wan_dual isp modem.png"

From the User i can reach the internet  and the shown web server using the public dns name which point Public-IP1.
To make this work i created the required port forwards on the ISP-1 Modem and on the Wan interface connected to  the ISP1-modem.

All working as i would like to see this

To save some energy and also because it is possible , i am now experimenting with the 2nd setup , where i removed the modem/wifi-router of ISP-2.
Adjusted the Interface configuration on the OpnSense firewall to be able to get a public IP.
So far so good..

The issue i have at this moment that it is not possible to reach the web server using the Public DNS hostname.
From the Internet i can reach the Webserver normally using the same public dns name.

It looks like OPnsense has issues returning the traffic back to PublicIP-2 when it is directly connected to the firewall, while i expect that it still has its NAT table with the port references, so shoule be able to return the traffic to the userip and initial tcp port

Anybody an idea how this can be done ?
September 02, 2025, 10:23:08 PM #1
Quote from: Madifor on September 02, 2025, 09:11:45 PMThe issue i have at this moment that it is not possible to reach the web server using the Public DNS hostname.
I presume, this only is applied to a hostname pointing to IP2. However, above you only mentioned a hostname on IP1.

In OPNsense a port forwarding rule is defined on a certain interface and is by default only applied to traffic entering this interface.
To also enable the port forwarding rule on the other interface, you need to enable "NAT reflection" in the rule.
Remember that you additionally have to add a firewall rule to allow this traffic if there isn't any yet.
Today at 07:19:32 AM #2
What I am trying to figure out , why I am unable to reach the website using the public dns entry which points to IPS1-WAN IP when (default) traffic is routed to the internet using ISP2. When I enter for example webserver.mydoain as url in the browser, on the firewall I see that the request received on Wan1 interfac. The port forwarding is also happening (initial it goes to a (reverse-)web proxy and from their traffic reaches the correct webserver (based on the URL). My suspision is that it is caused by the fact that WANIPof ISP2 connection is on one of the other interfaces and then gets lost... I have trouble in this part of trouleshooting.. the packet capture feature doesn't give me a direction where to find the solution so. Hopefully some one does know which mistakes I make in my thinking / troubleshooting process.

So just to be clear when I restore the original setup where I also use the provided isp device to connect to the GXS-pon terminal(media converter)
Print
Go Up Pages1
User actions