Complete noob here. I’ve setup a server that can be accessed via the internet, i.e. port forward setup.
The server is on the main network, NOT behind a VPN (I can’t setup port forwarding when it’s behind a VPN for some reason, but that’s a problem for another time).
- I can access my server via “domain.com” outside my home network
- All devices except the server is behind a VPN on both main and guest network
- DDNS for “domain.com” is handled on my router (luci)
- Flint (GL-AX1800)
- Version 3.214
- Kernel Version 4.4.60
- Firmware Version OpenWrt Chaos Calmer 15.05.1 / LuCI Master (git-20.356.08465)
My problem is:
- When I access my server with a device connected to the same main network via “domain.com”, it didn’t really route through the internet but rather locally. I can verify that by checking the server log and the source IP of the request is
192.168.x.1, which is my gateway IP.
- When I access my server with a device connected to the Guest network via “domain.com”, I can’t even access it.
Any idea how I can fix this? Thanks.
Would appreciate if there’s a way that I can put my server behind the VPN as well.
The two problems, I am not sure why they are problems.
- You connected to the router directly, of course the data goes locally. This is just normal.
- Guest network cannot access your private network because they are separated. So this seems the same problem as 1. because the data goes locally.
You want to put your server behind the VPN and still want it be access by the Internet, then you need a dedicated IP. Some vpn servie provider has this option.
Okay. If you are not aware what you are doing, it is okay to have a server in the LAN. Maybe it is okay to put it in the VPN. But it is definitely not a good idea to put it into the wild (aka Internet)!
I am working with computers for over 25 years in different topics. And I am hasitate every time, before I set a subdomain, add portforwarding and open one more port in the firewall.
I wonder about ‘behind the VPN’. The VPN is a tunnel, so the hosts should be in the VPN to build a ‘Virtual Private Network’. The devices in the LAN are in the LAN, not behind the LAN. Devices can be behind a Firewall, because it is a wall, that accept or deny.
And Even if you are planning to set a sever and release to the wild, it won’t be a good idea to put it in the network. Therefore some more intelligent, as I am, people developed the DMZ ( Demilitarized Zone).
And last, but not leased, a wisedom from every network o d infrastructure team I’ve ever worked with: The issue is the DNS.
If you want to connect to domain.com, the name will be resolved by the DNS. Either by the set DNS itself or by a forwarded one. Before going deep in the hole of network segmentation and NAT routing and so on, maybe we should take a look at the DNS sever and set a A record for domain.com.
(Even if I would set domain.com to something secure outside the home and use something like vpn.domain.com or happyplace.domain.com for my internal network)
But this is more philosphical than technical. Maybe I am totally wrong, It’s okay for me.
Most VPNs do not support inbound traffic. Even if port forwarding works properly, the inbound traffic may be gone before it reaches the GL-inet.
DNS is not an issue. Brair is seeing NAT loopback in action. The DNS record point to the router’s own WAN ip. When a device in his LAN wants to access his server, it will send traffic to the router, which then has to use NAT to route it to itself. Slightly better would be a split DNS setup so domain.com would point to the internal IP directly only on the local networks and therefore skipping the router and NAT loopback. But NAT loopback works fine as well.
The reason the guest network cannot access the server is likely because traffic cannot make it from guest network to the lan network. That’s either not allowed by the firewall or actively denied in the firewall. It’s also something you actually do not want to allow; Guest network SHOULD be different from the lan network.
In such cases it might like LupusE suggest be better to make a third network called DMZ in your GLInet router in which all servers are connected. By doing that it is easy to allow both lan and guest networks to access servers in the DMZ network.
LupusE, I do not like you talking the topic starter down. Everybody has to start somewhere! Few master the fine work of network administrators! Instead of talking people down try to explain things on a basic level so they can learn and understand!
Thank you so much for taking the time to answer my questions.
I have thought of putting the server in the DMZ but will that expose all ports to the internet? I’ve setup firewall on my server to open just a few ports but it’d be nice to have some sort of “safe guard” in place just in case I failed to set up the firewall on my server correctly. Technically, everything is behind a reverse proxy and only port
443 are open to the world. I made sure of that with port forwarding so that the router is a second line of defence.
Is there a way to disable NAT Loopback so that domain.com will be routed to the Public IP address, thus allowing access from guest network to the server?
As for VPN, I might not be clear in my first post and my English is rusty (You might be able to tell by now I’m not native). I set up DDNS on my router, so the DNS of domain.com points to my Public IP Address and I did verify that. So I don’t need any VPN service provider with port forwarding or anything like that. Traffic comes to the router but gets dropped by the
IP Tables. Is there anyway so that all Outbound Traffic routes through VPN but also allow inbound traffic not from VPN (with VPN Kill Switch ON). I know it’s a big ask but I thought my knowledge is the limit.
Thank you so much for all the help! Really much appreciated.
Edit: I tried putting my server in DMZ, I can access my server via `192.168.x.x (Local IP of the server) but not via domain.com from guest network. Server is accessible via domain.com from OUTSIDE the network.
Just wanted to give my $0.02, I’m also experiencing a similar issue; my LAN servers are port-forwarded, and clients outside the network can connect fine. When an internal client on the LAN zone try to connect to the services via the site’s public IP, the connection times out. This applies for both TCP and UDP traffic. On firmware version 3.213, tracking this thread for suggested fixes / updates. My forwards look like the following:
option target 'DNAT'
option name 'SERVICE_NAME'
option src 'wan'
option dest 'lan'
option src_dport 'PORT_#'
option dest_ip 'INTERNAL_IP'
option dest_port 'PORT_#'
option gl '1'
option proto 'udp'
"system": "ARMv7 Processor rev 4 (v7l)",
"model": "Qualcomm Technologies, Inc. IPQ6018\/AP-CP03-C1",
"version": "Chaos Calmer",
"description": "OpenWrt Chaos Calmer 15.05.1"