Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to access nextcloud from another VLAN in a HAProxy+DNS Resolver setup

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      runevn
      last edited by

      I have 2 VLANS:

      • Home VLAN for all my devices
      • Server VLAN for different VMs including my nextcloud intance.

      I would like to be able to access nextcloud from my home VLAN. I have set a firewall rule allowing traffic from my HOME VLAN to the nextcloud VM (on Server VLAN) on port 80 and 443 (tcp).

      Whenever I try to access nextcloud.mydomain.com I can't access nextcloud but if I use the IP I can access nextcloud.

      I'm running a HAProxy+DNS Resolver setup to provide wildecard SSL-certificates to my different services.

      Here is my firewall rules for my HOME VLAN.

      What am I doing wrong?

      firewall.png

      F V 2 Replies Last reply Reply Quote 0
      • F
        flat4 @runevn
        last edited by

        @runevn Do you have your nextcloud config file under trusted domains, the specified domain name or just the ip?

        R 1 Reply Last reply Reply Quote 1
        • R
          runevn @flat4
          last edited by

          @flat4 Thanks for your reply. I have added both my IP and domain name.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @runevn
            last edited by

            @runevn said in How to access nextcloud from another VLAN in a HAProxy+DNS Resolver setup:

            I have set a firewall rule allowing traffic from my HOME VLAN to the nextcloud VM (on Server VLAN) on port 80 and 443 (tcp).

            That's the wrong way. Since you're running HAproxy with SSL offloading, simply allow access to the IP the proxy is listening on, presumably WAN IP.

            If you have the public IP on the WAN of pfSense there is nothing more to do at all in the DNS. If it's a private WAN behind a router, add a host override to the Resolver and point it to the pfSense WAN IP.

            R 1 Reply Last reply Reply Quote 1
            • R
              runevn @viragomann
              last edited by

              @viragomann Thanks for your reply. Nextcloud is only being accessed on my LAN. If I set the nextcloud IP to my pfSense LAN IP it works.

              However, that will allow all traffic from my HOME VLAN to access all the services on port 80/443 tcp using the SSL-offloading?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @runevn
                last edited by

                @runevn said in How to access nextcloud from another VLAN in a HAProxy+DNS Resolver setup:

                Nextcloud is only being accessed on my LAN.

                So I'm wondering what's the purpose of HAproxy in this setup. Though that changes the situation and would be worth to mention.

                However, that will allow all traffic from my HOME VLAN to access all the services on port 80/443 tcp using the SSL-offloading?

                That's correct and usually that doesn't matter, since the HAproxy interface is exposed to the internet in normal circumstances.

                Whenever I try to access nextcloud.mydomain.com I can't access nextcloud but if I use the IP I can access nextcloud.

                So did you add a host override pointing to the server IP?

                R 1 Reply Last reply Reply Quote 1
                • R
                  runevn @viragomann
                  last edited by

                  So I'm wondering what's the purpose of HAproxy in this setup. Though that changes the situation and would be worth to mention.

                  The purpose is to have HAProxy providing let's encrypt wildcard SSL certificates to webinterfaces for my services, even though it is all on the LAN

                  So did you add a host override pointing to the server IP?

                  Yes, but because I'm running HAProxy on my pfSense box the Host overwrite must be the pfSense box it self (192.168.1.1) and not the server IP.

                  If I change the host overwrite to the server IP it works but then HAProxy will not provide the SSL-offloading.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @runevn
                    last edited by

                    @runevn
                    So you have to point the Nextcloud host override to pfSense.
                    If you want to restrict access to certain IPs, you can add an additional virtual IP to pfSense and point Nextcloud to this. Then add a frontend in HAproxy using this IP, but the same SSL cert.

                    HAproxy must not run in transparent mode in your setup! This would end up in asymmetric routing issues.

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      runevn @viragomann
                      last edited by

                      @viragomann said in How to access nextcloud from another VLAN in a HAProxy+DNS Resolver setup:

                      Thanks for your reply. Just some further questions just to be clear:

                      So you have to point the Nextcloud host override to pfSense.

                      At the moment my current Nextcloud host overwrite is set to pfsense it self (192.168.1.1). Is that correct?

                      If you want to restrict access to certain IPs, you can add an additional virtual IP to pfSense and point Nextcloud to this. Then add a frontend in HAproxy using this IP, but the same SSL cert.

                      Okay, just so I get it right... When I add a Vitrual IP for Nextcloud should it be within the same VLAN as the original IP? And what do you mean by "point Nextcloud to this"? Is it within the configuration file of NC?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @runevn
                        last edited by

                        @runevn said in How to access nextcloud from another VLAN in a HAProxy+DNS Resolver setup:

                        At the moment my current Nextcloud host overwrite is set to pfsense it self (192.168.1.1). Is that correct?

                        It could be any IP of pfSense. The only requirement is that HAproxy is listening on it.

                        When I add a Vitrual IP for Nextcloud should it be within the same VLAN as the original IP?

                        The same answer. Could be on any interface, but yes for clarity, I would add it to the home VLAN, since you want to access it from devices of this network segment.

                        And what do you mean by "point Nextcloud to this"?

                        I meant to host override with this.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Suwithwat
                          last edited by

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.