Seemingly straightforward pass rule not working; reverse proxy suspected.

[brigmaticlaw]

Hi all,

I'm having a bit of an issue with a rule allowing certain devices on my main network to access select services on my server network. I have the basic "Allow internet/block private networks" and "Allow DNS" rules on each interface. I am attempting to add this new rule to allow devices on the Main interface (VLAN20) to access the services (Jellyfin, Immich, and Home Assistant) hosted on servers in Lab net (VLAN10). With the rule enabled and with my phone connected to the Main net, I cannot access the above services.

I have set up three aliases; one containing the IPs of my two Rokus for Jellyfin access, another containing the MAC addresses of our phones and laptops, and the third which has the URLs of the three services mentioned above. Admittedly I could probably combine the first two but for now let's just roll with it.

In the "Lab_Services" alias, I am using the FQDNs for each service instead of their IP/ports. I am running all services through Nginx Proxy Manager which is also hosted on a server on the Lab net. Here is what everything looks like:

You cannot view this attachment.You cannot view this attachment.

My suspicion lies with the reverse proxy since the services alias is using FQDNs instead of IPs. Am I on to something there? Do I need to allow Main net access to the proxy as well so those addresses can be properly routed? Any pointers would be greatly appreciated!

[Seimus]

If you are reaching the services thru NPM,

You need to allow your host to reach the NPM. If NPM reaches than those destination services using domains, NPM needs to be able to resolve them, so it needs to reach the DNS server.

If you are using in Alias domains instead of IPs, in order to populate the Alias OPNsense needs to as well be able to resolve them. Check if the Alias has populated IPs, if it could resolve the domains.

Regards,
S.

[brigmaticlaw]

Thank you, Seimus.

I created a rule to allow my two host aliases to reach NPM. I am able to resolve those domains while on the Main network. However, it looks like I now need to set up some ACLs within NPM to restrict access to only those services on that side as well. I will have a go at that and if I can figure that out and get it working, I'll mark this as solved.

[brigmaticlaw]

Alright, I think this is solved since what I was attempting technically works now. That said, I've noticed/learned a few things and am curious...

With the proxy ACLs in place, it would appear I don't even need the original firewall rule allowing access to the service domains. I only need the rule allowing access to the proxy and then NPM takes care of the rest. Is this technically the "correct" way of going about it anyway? Or have I stumbled into the "wrong" way of getting it to work? I ask because even though I'm operating all of this in my home primarily as a way to learn deeper networking topics, I enjoy doing things cleanly and following "best practices".

I have been considering switching over to Traefik as my proxy so I can play around/learn with it and things like Authentik and Crowdsec as middlewares. The Traefik docs mention adding IP access lists to the labels to restrict access like I'm now doing in NPM. Again, I'm assuming that would be the correct way of going about it? I'm trying to mentally square the extent of the firewall's job and the jobs of things like Traefik and Authentik so far as service access and authentication goes. I am starting to suspect I need to alter my thinking from "access control is solely the job of the firewall" to "the firewall is a part of a larger access/security stack with many parts".