Hosting website: Rejected request from RFC1918 IP to public server address

SnakZ · April 30, 2023, 1:18pm

Trying to view my hosted website within a vlan. I am able to see it outside of my network using the domain name. But when I try to view the page from within the network. I get a rejected request, digging around it seems this is for a security reason. In what case I would like to keep this feature if at all possible then.

I seen an archives post that talked about changing openwrt's listing address. After doing that it made the web interface not load anymore. Is there anything else I could try thank you for any help someone can give.

[(changing listing address](https://forum.archive.openwrt.org/viewtopic.php?id=45406)

This didnt seem to work and also just made the openwrt UI no longer work.

Forbidden

Rejected request from RFC1918 IP to public server address

lleachii · April 30, 2023, 1:31pm

You need to make sure the SRC IP for the HTTP(S) traffc does not equal a Private IP for a DST with a Public IP.
Your diagram doesn't identify:
- SRC client
- SRC IP
- DST server (possessing Public IP address)

Where is the OpenWrt device?

You never indicate the device in your diagram.

SnakZ · April 30, 2023, 5:47pm

SRC client

SRC IP

DST server (possessing Public IP address)

My bad if I'm mistake on what your asking, also not sure what you mean by DST processing public IP address ?
Domain from Godaddy that I linked to my public IP address.
Vlan 30
Proxmox box : 192.168.30.106
Webserver: OS Ubuntu
IP address: 192.168.30.224

The Openwrt device is the one at the top, I will list a new diagram
I have port 80 and 443 open on the router (OpenWRT) I am able to view the website if I use a VPN or anything else that isn't part of my lan network.

Otherwise I get that "Rejected request from RFC1918 IP to public server address", from what I figure out is a security measure to stop denial of service from within the lan network?

If I disable this security measure, then the domain names just take me to OpenWRT's interface.
Seems local IP address are not being forwarded to the webserver.

lleachii · April 30, 2023, 8:33pm

~~Please show this firewall rule.~~

~~It seems as if you don't understand the error message.~~

~~For some reason, your Ubuntu server thinks it has a public IP.~~

~~???~~

~~Show all relevant firewall rules.~~

vgaetera · April 30, 2023, 8:47pm

Rejected request from RFC1918 IP to public server address - #2 by vgaetera

lleachii · April 30, 2023, 8:54pm

@SnakZ

Are you accessing the Ubuntu server from within you network:

With it's public IP address, or
Using 192.168.30.224?

You must use 192.168.30.224 - or setup internal redirect(s):

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.x.0/24' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.30.224"
	option dest 'xxx' #<---place packet in same network SRC packet

Why this works:

SnakZ · May 1, 2023, 10:00pm

Are you accessing the Ubuntu server from within you network:

With it's public IP address, or

Using 192.168.30.224?

You must use 192.168.30.224 - or setup internal redirect(s):

Using the local IP address would work, the problem comes when I start to use vhost where I have multiple domain names coming to the same public IP address. I would need to start figuring out a way to allow me to visit different domain names using just an IP address. I'm sure that it is possible, I just never needed to learn how to do it before.

Also I tried the configuration you posted without changing anything of it. Unfortunately it brought everything crashing down. Obviously that wasn't the right move

option src_ip '192.168.x.0/24' #<---SRC network
option dest 'xxx' #<---place packet in same network SRC packet

What should I change this to ?

lleachii · May 1, 2023, 10:08pm

I provided you that information already:

The SRC IP network (or CIDR range) - you list:
- 192.168.1.0/24
- 192.168.20.0/24
- 192.168.30.0/24

The Interface of the SRC network

Since you don't list your interfaces or network configs, I can't use specific information related to your use case.

BTW the Pound Sign (#) in code or output means "comment".

SnakZ · May 2, 2023, 2:36am

I provided you that information already:
Seems I don't understand that information then :D.

I though the info I gave you would be enough sorry if it wasnt.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'xx'

config device
        option name 'lan2'
        option macaddr xxx'

config device
        option name 'lan3'
        option macaddr 'xx'

config device
        option name 'lan4'
        option macaddr 'xx'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config device
        option name 'wan'
        option macaddr 'xxx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:u*'

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan3:u*'

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

option dest 'xxx'

Would this be the local IP address to the webserver ?

option src_ip '192.168.x.0/24

would I just leave this as be so it covers everything ? Or just add them as needed like you did.

option src_ip '192.168.1.0/24
option src_ip '192.168.20.0/24
option src_ip '192.168.30.0/24

lleachii · May 2, 2023, 1:11pm

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.1.0/24' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.30.224"
	option dest 'lan' #<---place packet in same network SRC packet

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.20.0/24' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.30.224"
	option dest 'vlan20' #<---place packet in same network SRC packet

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.30.0/24' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.30.224"
	option dest 'vlan30' #<---place packet in same network SRC packet

SnakZ · May 5, 2023, 11:20pm

Thank you for the help and sorry for being away. After rebuilding everything after the hard reset and then trying out the config you listed. I notice systems within the vlan 30 was now able to view the webpage without problem. This is without adding your redirect, I don't know what changed.

As for the vlan20 and lan(lan1) it still gets the same problem with Forbidden even with the redirect.

I commented out vlan30 as it seems to be working without needing a redirect.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXX'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'XXX'

config device
        option name 'lan2'
        option macaddr 'XXX'

config device
        option name 'lan3'
        option macaddr 'XXX'

config device
        option name 'lan4'
        option macaddr 'XXX'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config device
        option name 'wan'
        option macaddr 'XXX'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:u*'

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan3:u*'

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option src_ip '192.168.1.0/24' #<---SRC network
        option name 'REDIRECT_HTTP_LAN'
        option dest_ip '192.168.30.224"
        option dest 'lan' #<---place packet in same network SRC packet

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option src_ip '192.168.20.0/24' #<---SRC network
        option name 'REDIRECT_HTTP_LAN'
        option dest_ip '192.168.30.224"
        option dest 'vlan20' #<---place packet in same network SRC packet

#config redirect
#       option target 'DNAT'
#       option src 'wan'
#       option proto 'tcp'
#       option src_dport '80'
#       option dest_port '80'
#       option src_ip '192.168.30.0/24' #<---SRC network
#       option name 'REDIRECT_HTTP_LAN'
#       option dest_ip '192.168.30.224"
#       option dest 'vlan30' #<---place packet in same network SRC packet