Can't connect from LAN to domain pointing to WAN

I have a NanoPi R4S acting as my main router. It forwards 443 traffic to a web server in a Raspberry Pi. I also have a domain registered pointing at my IP. Before, I had my traffic proxied through Cloudflare but it's giving me headaches with other stuff and I've disabled the proxy, so Cloudflare now points my domain straight to my WAN IP (DNS-only mode). The problem is, since I've made this change, I can't connect from my LAN to my domain, it times out. It seems to be a routing or firewall problem because when I am connected to my VPN interface (running in the same router) I don't have problems connecting to my domain. I've tried disabled NAT loopback or changing it to external IP, but it doesn't work. What could be wrong? Thanks for any help.

You actually need a "hairpin rule" - loopback actually does what you desire; but the OpenWrt check box works only for the SRC itself (i.e. the server - e.g. if you ran II$ on Window$, you could browse from the same machine). Here is a sample rule to redirect for your entire LAN.

You could make a DNS setting on the OpenWrt; but that requires all clients to exclusively use the OpenWrt for DNS.

2 Likes

Thanks for your help, but the hairpin rule doesn't seem to work. It still times out. I don't know what could be wrong.

Usually it's easier to redefine the A and AAAA records of your external domain in your router (dnsmasq override) to their internal IP.

2 Likes

Sounds like it might be what I need. Could you point me to a guide? I've tried in Luci (Network > DHCP and DNS > Hostnames) but it doesn't seem to work.

dnsmasq.conf

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/somedomain.net/192.168.1.2
1 Like

luci has a hostname page.

2 Likes

Thank you both for the help. I went the dnsmasq.conf route but it still won't work. My best guess is that the RPi web server nginx reverse proxy is in a redirect loop since visiting it from its IP redirects you to its domain, which dnsmasq then redirects to its IP.

EDIT: I disabled the nginx redirect and it still won't work. I'm out of ideas.

Restarted dnsmasq after making the changes?

Yes. Traceroute reports the LAN IP.