Access Emby from local sub via DDNS

chudak · Oct 6, 2021, 2:51 PM

I am a little confused here and must have forgotten some options.

My case is - emby is running on ports 8096/8920 (http/https)

pfsense router name is pfsense.ddns.xyz

From outside of my network everything works fine.

But from my network http://pfsense.ddns.xyz:8096 or https://pfsense.ddns.xyz:8920 don't resolve.

What am I forgetting?

Thx

viragomann · Oct 6, 2021, 3:10 PM

@chudak
Add a DNS host override for pfsense.ddns.xyz and point it to the internal server IP.

chudak · Oct 6, 2021, 3:41 PM

@viragomann said in Access Emby from local sub via DDNS:

@chudak
Add a DNS host override for pfsense.ddns.xyz and point it to the internal server IP.

That's a cool and easy solution, thx!

(I still remember it was something esle)

viragomann · Oct 6, 2021, 3:44 PM

@chudak said in Access Emby from local sub via DDNS:

(I still remember it was something esle)

You can enable NAT reflection instead for sure, but DNS host overrides work more reliably.

chudak · Oct 8, 2021, 1:38 PM

@viragomann

Thinking more about this...

The DNS override is a workaround, what if I really want that to work via DDNS name/IP from the local sub, how do I force that?

johnpoz · Oct 8, 2021, 1:57 PM

@chudak said in Access Emby from local sub via DDNS:

The DNS override is a workaround,

Says who? A local resource resolving to its local IP is the correct solution.. Nat reflection is a HACK/Workaround for when the client is unable to resolve the correct local IP for a fqdn because for example it uses external dns and not the local dns. Or the public IP is hard coded in some application or something.

Nat Reflection should always be last option for when you can resolve your local resource to its local IP.. Why would you want to hairpin traffic?

Not sure why you have :ports listed - :8096 or :8920, etc.. Those have nothing to do with dns. If you want to allow for redirection of some fqdn, to get sent to some port other than the standard http or https port easy solution for that is using haproxy which can kill 2 birds with 1 stone.. You can just access some fqdn http://pfsense.ddns.xyz for example and get proxied to your local resource on whatever port said service is listening on.

But locally I would still just access the service via fqdn that resolves to the local IP, and bookmark said site with whatever port you use in the url to access said service.

chudak · Oct 8, 2021, 2:29 PM

@johnpoz

I am not questioning all of this.

I am wondering if the external pfsense router DDNS name/IP is restricted somehow (on the local subnet) and if the answer is yes, how to unblock/control this?

johnpoz · Oct 8, 2021, 2:35 PM

@chudak said in Access Emby from local sub via DDNS:

external pfsense router DDNS name/IP is restricted somehow (on the local subnet)

Why how would it be restricted..

The issue is that if you send traffic to your pfsense wan IP from internal IP, it would not be forwarded back to where you forwarded it. For that to work you need to enable nat "reflection"

https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

Nat reflection is not enabled by default.. If you have some desire to do that - then yes you would have to specifically enable it.

Here is the thing you should take away from that article ;)
"NAT reflection is a hack as it loops traffic through the firewall when it is not necessary"

stephenw10 · Oct 9, 2021, 3:17 PM

Yeah, using split DNS is the preferred method if you can use that.
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Steve

chudak · Oct 9, 2021, 3:16 PM

@johnpoz said in Access Emby from local sub via DDNS:

@chudak said in Access Emby from local sub via DDNS:

external pfsense router DDNS name/IP is restricted somehow (on the local subnet)

Why how would it be restricted..

The issue is that if you send traffic to your pfsense wan IP from internal IP, it would not be forwarded back to where you forwarded it. For that to work you need to enable nat "reflection"

https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

Nat reflection is not enabled by default.. If you have some desire to do that - then yes you would have to specifically enable it.

Here is the thing you should take away from that article ;)
"NAT reflection is a hack as it loops traffic through the firewall when it is not necessary"

Never used that and like it!

Is it practical/good to use it to override with an external IP?

like:

emby.local => points to local IP via resolver
emby.external => points to external IP via forwarder

Thx!

johnpoz · Oct 9, 2021, 3:18 PM

@chudak said in Access Emby from local sub via DDNS:

Is it practical/good to use it to override with an external IP?

You can set an override for anything you want to resolve to anything you want.. be it www.cnn.com or some internal.domain.tld

chudak · Oct 9, 2021, 3:24 PM

@johnpoz said in Access Emby from local sub via DDNS:

@chudak said in Access Emby from local sub via DDNS:

Is it practical/good to use it to override with an external IP?

You can set an override for anything you want to resolve to anything you want.. be it www.cnn.com or some internal.domain.tld

I see how to set an override for www.cnn.com, but how do I force to be on a specific port www.cnn.com:1234 ?

johnpoz · Oct 9, 2021, 3:29 PM

@chudak dns has NOTHING to do with ports.. As I already went over if your goal is to get redirected to some port, then use HAproxy.. And then sure you can hit the public IP on port say 80 or 443 http/https and get proxied to port 1234 if you wanted.