2

Normally, this would not be a desired configuration, but I am setting up a NextCloud server, and to validate the domain, it requires that it be able to access it through the public IP address. No matter what I do, I cannot get this to work. It specifically needs port 443, but I cannot reach port 80, 8080, nor 443 from inside the firewall (OPNSense), when using the FQDN. DNS queries are resolving properly with the WAN IP, I have opened the ports outgoing in order to let the server bypass the transparent proxy, and have even port forwarded port 443 outgoing for the server IP to push it past the proxy, but nothing works. If I try to access these ports from outside the firewall (from my cell phone), I have no trouble at all. I know this is unusual, but is there any way to make this work? Someone has to have been able to get NextCloud working at some point, right?

Hubert Oliver
  • 65
  • 7
  • I don't understand how your network is configured. You have a proxy. Does your firewall redirect *outgoing* traffic *to* port 443 to the proxy? If so, that's irrelevant, the request will come from an ephemeral port. – vidarlo Feb 04 '23 at 09:54
  • 1
    This kind of issue has a description: https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback . I guess a **transparent** proxy will get the problems of a NAT/router. – A.B Feb 04 '23 at 10:09
  • 1
    Does this answer your question? [Loopback to forwarded Public IP address from local network - Hairpin NAT](https://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat) – vidarlo Feb 04 '23 at 13:09
  • Thank you all for your comments! By digging through all of your suggestions, I was able to set up a port forward for packets on the LAN Net addressed to the WAN IP right back to the server and it accepted it! – Hubert Oliver Feb 04 '23 at 18:40

1 Answers1

3

In order to access other internal LAN resources within your network using your external IP address through OPNSense, you need to enable the NAT reflection feature. It will rewrite such requests so that they use the internal IP in order to avoid taking a detour and applying rules meant for actual outside traffic. More information on NAT reflection can be found here.

Net Runner
  • 6,169
  • 12
  • 34
  • 2
    Thank you for your suggestion. NAT Reflection was already enabled, but I hadn't thought to just port forward directly back to the server from inside the LAN Net. That did the trick. – Hubert Oliver Feb 04 '23 at 18:41