this post was submitted on 23 Feb 2025
34 points (94.7% liked)

Selfhosted

42767 readers
1260 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
34
Need Support: DMZ at home with nginx proxy to LAN (sh.itjust.works)
submitted 8 hours ago by nap@sh.itjust.works to c/selfhosted@lemmy.world
19 comments fedilink hide all child comments
 

Hey,

currently I am at a loss with my setup and can't figure out whats going wrong. I'm preparing a migration of my private root server to my @Home Setup. The idea was to create a DMZ for all those Server with Public Internet Access and put them into a DMZ.

Now I got a Public OPNsense, some Modem from my ISP, a Unifi Dream Machine (that manages LAN and stuff) and another OPNsense inside my DMZ.

There is a Wireguard Tunnel connecting the two OPNsense, the local one got a 0.0.0.0/0 route as Peer Network.

If I now try to access any Website, managed by the Nginx Proxy 192.168.1.1/24, it works fine as long as the Website is inside the DMZ.

My Problem now is to make the green path happen to access stuff inside my LAN over the Public OPNsense.

The proxy is able to curl the LAN Websites and i can Ping and Trace all the IPs but something is broken. I can see the Packages arrive at the LAN website and make it back to the public OPNsense but my browser will always get a "timed out" :'(

top 19 comments
sorted by: hot top controversial new old
[–] InEnduringGrowStrong@sh.itjust.works 4 points 8 hours ago (1 children)

Make sure you test this from outside your network and not simply by using the public IP, but from inside your LAN. Odds are your ISP modem doesn't support NAT loopback (also known as NAT hairpin).

[–] nap@sh.itjust.works 2 points 7 hours ago

I tested with my Mobile with LTE and got the same results

[–] teslasaur@lemmy.world 1 points 8 hours ago (1 children)

Why do you have public ip-span configured as LAN?

[–] nap@sh.itjust.works 2 points 7 hours ago (1 children)

Ah sry, bad choise but i masked my real LAN IPs

[–] teslasaur@lemmy.world 1 points 7 hours ago (1 children)

Its possible, depending on how you've setup your NAT, that the traffic cant return due to coming from a public ip.

[–] nap@sh.itjust.works 1 points 7 hours ago (1 children)

There is one DNAT rule at the public OPNsense routing the HTTP/s traffic to my proxy. Inside my DMZ an LAN is no NAT, only routing. Back out again there is a Masq/SNAT rule for my local IPs

[–] teslasaur@lemmy.world 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

Then i assume there is something wrong in the routes from your lan when returning traffic that got initiated through the internet opnsense. If you can see traffic hit the LAN network, all should be well on the way in.

Perhaps some sessions on the way time out due to low TTL. I've experienced drops of traffic when there are too many hops.

[–] nap@sh.itjust.works 1 points 6 hours ago (1 children)

Hm, could be a little bit much but Public IP -> WG0 -> Proxy -> Router -> Server and back should not be ok?

[–] teslasaur@lemmy.world 1 points 6 hours ago (1 children)

It looks incredibly convoluted. My best guess is that traffic hits 172.168.1.254 and gets routed out on the internet and doesn't pass the dmz.

[–] nap@sh.itjust.works 1 points 5 hours ago (1 children)

Should the nginx Proxy receive that package? If i trace between the LAN Host and GW, there are no Public IP's

[–] teslasaur@lemmy.world 1 points 5 hours ago

I think the packets take one way in, and get routed a different way out.

[–] InnerScientist@lemmy.world 1 points 8 hours ago (1 children)

Check DNS, MTU and do a full wireshark capture from the Client using both curl and the browser.

[–] nap@sh.itjust.works 1 points 7 hours ago (1 children)

green boxes are IP, red are FQDN

Curl capture (made first so DNS is captured aswell)

Firefox capture

[–] just_another_person@lemmy.world 3 points 6 hours ago (1 children)

You have a loopback. Says it right there.

From your diagram it looks like you're have two reverse proxies chained together...why?

[–] nap@sh.itjust.works 1 points 6 hours ago (1 children)

Never got the time to learn to read Captures :'(

At a time I tried to use two proxies but I changed it back to one. The host I try to reach is a Docker Host with Immich running. So the only real proxy should be "192.168.1.1".

[–] just_another_person@lemmy.world 2 points 6 hours ago* (last edited 6 hours ago) (1 children)

If it's 192.168.1.1, then your DNS has the wrong address somewhere. It's looking for 35.242

[–] nap@sh.itjust.works 1 points 6 hours ago (1 children)

What? That's totally confusing. Took my Laptop (192.168.35.242), tethered to my Mobile (192.168.35.116) and wiresharked. 192.168.35.0/24 should never ever be a part of my Network.

[–] just_another_person@lemmy.world 3 points 6 hours ago* (last edited 5 hours ago) (1 children)

Read your own screenshot

If you want to simplify things, do this:

  1. Remove all the proxy mess in between the service and network
  2. Make sure it works properly, and you can address it by name
  3. Add proxy back and point to DNS to it
  4. Test again

Then just keep adding things back and find where it's breaking. I'm positive you have a hostname mismatch, or a messed up DNS record if you're using multiple proxies. Curl output would be helpful. Also check dig (hostname) to see what your DNS is responding with.

[–] nap@sh.itjust.works 2 points 5 hours ago

I think I let it rest for a day, I'm confused