Need Help Routing Traffic
-
Just signed up here and this is obviously my first post. I'm not much of a forum guy but I just can't seem to Google my way out of this one.
Running pfSense bare metal with 4 physical NICs; WAN LAN WLAN and LAN2 each with their own subnet.
I have rules in place as such:
LAN can access WAN, LAN2 and WLAN
LAN2 can only access WAN
WLAN can only access WAN
I self host an instance of Nextcloud on LAN that's publicly accessible. Traffic to Nextcloud from clients on LAN and traffic to Nextcloud from WAN work as it should. My issue is, because I'm blocking local traffic on LAN2 and WLAN to LAN subnet, Nextcloud clients on LAN2 and WLAN can not access the Nextcloud server because my current configuration is apparently trying to route that traffic internally. I need a rule set or NAT routing or whatever that forces all traffic to Nextcloud, (and only to Nextcloud), from LAN2 and WLAN out WAN so it can resolve to come back into the firewall. Is this possible?
pfSense is running pfBlockerNG and Suricata but I don't think that complicates things.
Thanks gang!
-
@newburg said in Need Help Routing Traffic:
Nextcloud clients on LAN2 and WLAN can not access the Nextcloud server because my current configuration is apparently trying to route that traffic internally.
So you have a host override in your internal DNS to provide the internal LAN IP for Nextcloud, I assume?
If so, are the LAN2 and WLAN devices able to resolve it properly. That means, does these networks also use your internal DNS?
I need a rule set or NAT routing
NAT is no solution, because as the access need to go to the internal IP of the Nextcloud server, the devices need to be permitted to access even the internal IP.
-
@viragomann I do not have a host override configured in the DNS resolver for Nextcloud. This is what is puzzling me why the traffic is insisting on routing internally when the clients are connected to the local network. For example, Nextcloud app on IOS devise works fine on 5G but as soon as the device connects to WIFI on WLAN, the traffic from the Nextcloud app tries to route internally.
Does that even make sense?
-
@newburg
The traffic between two internal network segments can only be routed internally. It never go out to WAN as you might think.
Even if the DNS on the client resolves to the WAN IP. But in this case, you possibly have enabled NAT reflection.
This can be done either in the NAT rule which forwards the traffic to the webserver or in System > Advanced > Firewall & NAT.When using NAT reflection you only have to add a firewall rule to the both interfaces to allow access to the Nextcloud server and put this rule above of the block rule.
-
@viragomann I've considered adding the firewall rule. Is there a down side for the untrusted WLAN which has a ton of IOTs on it to have direct access to the Nextcloud server local IP addy? I suppose if I configure the rule to only allow traffic on the ports I need it too...not much of a down side.
-
So I just placed a rule for WLAN to access the Nextcloud server on LAN; restricting it to TCP/UDP traffic only on port 443. Traffic is passing now to Nextcloud from WLAN. Seems to be a decent solution with low risk. Thanks for letting me bounce this off you @viragomann !
-
@newburg said in Need Help Routing Traffic:
Traffic is passing now to Nextcloud from WLAN. Seems to be a decent solution with low risk.
I would rather have concerns of running a public webserver within my LAN. Allowing access from guest subnets would not be more risk than this.
-
@viragomann It's relatively safe enough. All inbound traffic requests to the server are pushed to 443. Geo IP blocking is enabled on the firewall and as a service running on Nextcloud; Suricata and pfblocker are VERY picky on inbound traffic. The URL to the server is "secure through obscurity" and only handed off to family members. Log-ins are 2FA enforced. Certs are renewed via cron. It's all pretty resilient. SSLABS gives me an A+. Must be legit, right? :::sarcasm:::
-
@newburg
Sounds all well.