unable to resolve self hosted website while on network (works externally)

**jalouke** · 02-15-2021, 02:30 PM

Hey All,

I setup a home lab to play around with virtualization, networking, web hosting, and just general linux things. I started with Proxmox as the host on my system, and installed a few guests. I bet you can guess what one of the guests is (spoiler, it's Untangle). My network topology is shown below, but essentially I have my home network (comprised of Ubiquity networking gear) separated into "normal" devices (computers, game consoles, etc), IoT devices (smart home stuff), and Lab (Server).

My Server has 7 ethernet ports. I am currently using 1 for proxmox management and internally accessible only servers like my Unifi Controller, secure NAS, etc. The 2nd port is the "external" port for the Untangle VM in bridge mode with the 3rd port.

Attachment 11062

So the problem I am having is that I am setting up my reverse proxy server to be externally accessible, but behind Untangle so that it is protected from intrusions, and that part of it works... I can turn off the wifi on my phone and connect to my domain, and everything loads just fine. But I connect to my network, and it stops working again (ERR_CONNECTION_TIMED_OUT).

I tried doing some research to try to figure out what is going on and found some other posts in this forum that point to setting up DNS server in Untangle (domain name - internal server IP), but that doesn't help for my situation.

To explain how I have it routed currently, I have the following port forwarding settings:

Public IP (80,443) > Gateway (80,443) > Untangle (80,443) > Reverse Proxy (80,443)
(Untangle local services were changed to ports 8080, 4443 to prevent conflicts)

I also tried implementing a bypass rule as well but that didn't solve the problem so I removed it.

Any help is greatly appreciated.

**sky-knight** · 02-15-2021, 03:33 PM

I need a screen shot of your port forward rule please.

**jalouke** · 02-15-2021, 04:10 PM

Unifi port forwards to Untangle's IP
unifi port forward.PNG

Untangle :80 forward to server
Untangle http forward.PNG

Untangle :443 forward to server
Untangle https forward.PNG

**sky-knight** · 02-15-2021, 04:14 PM

Port forward rules are doing exactly what you told them to do, only forward traffic that originates from outside.

If you want those rules to work from inside, you need to remove the source interface directives.

**jalouke** · 02-15-2021, 04:48 PM

Originally Posted by sky-knight

Port forward rules are doing exactly what you told them to do, only forward traffic that originates from outside.

If you want those rules to work from inside, you need to remove the source interface directives.

Sorry, I forgot that I added the source interface directive to try to fix the problem. Technically the "External" source interface is connected to the rest of my network (Port 2 in my network topology).

I removed the source interface condition anyways, and it still doesn't work.

**sky-knight** · 02-15-2021, 05:18 PM

Ahh... I see that on the map.

Doesn't matter because the problem is still the same. The issue is with your port forwarding and / or your DNS.

So first, resolve the name you're having issues with to determine if it's getting a public address or a private one. After that, it's a matter of ensuring the ACLs on an IP level allow traffic to flow.

Most of the time? It's a port forwarding rule. Though your situation is complicated enough that you may have a firewall rule in the way somewhere.

Double NAT in the mix? Not helping... Untangle shouldn't be port forwarding at all in this configuration. But since it works from the world, I'm left to assume whatever you called "gateway" isn't forwarding the packets correctly for interior clients. This is VERY common. And you may have to use DNS to resolve an interior IP for the public name to work around the problem. But I can't tell you how to do that, because I don't know what "gateway" is.

**jalouke** · 02-15-2021, 06:58 PM

Doesn't matter because the problem is still the same. The issue is with your port forwarding and / or your DNS.

Forgive my ignorance, but doesn't the fact that from the "world's" perspective my server is working mean that the port forwarding / DNS is working properly?

Double NAT in the mix? Not helping...

I have no NAT rules set in Untangle.

Untangle shouldn't be port forwarding at all in this configuration.

So should I try to have my gateway forward directly to my server?

I'm left to assume whatever you called "gateway" isn't forwarding the packets correctly for interior clients.

I have made this setup work without the server behind Untangle.

Is it important to mention that I am using DDNS to update my domain name to my ISP provided external IP address? Also, my gateway is a USG-3P security gateway.

**sky-knight** · 02-15-2021, 07:30 PM

A lack of NAT rules is expected, you have the NAT tick box enabled on External. This means NAT is in play, if it wasn't you'd not need to forward on Untangle at all. You'd just forward from your gateway directly to the server.

Beware, disabling NAT will make things much easier but only AFTER you get the routing sorted out.

I'm assuming you've tested to ensure the DNS name in question is actually resolving correctly. If you haven't done that... you need to do it.

**jalouke** · 02-15-2021, 08:21 PM

I performed the DNS test in Untangle, and it resolves to the correct IP address.

However the connection test fails, and the traceroute starts at the IP and just goes nowhere (* * *).

The strange thing is, my server has a route out. I can ping 8.8.8.8, as well as the gateway on my server.

**sky-knight** · 02-16-2021, 08:17 AM

The correct IP address meaning what exactly? The address on your gateway?

Thread: unable to resolve self hosted website while on network (works externally)

LinkBack

Thread Tools

unable to resolve self hosted website while on network (works externally)

Posting Permissions