Reach website from LAN in DMZ vlan

Hi,

I have a website on my personnal server in a DMZ vlan. I configured port forwarding. It is working as expected from WAN to DMZ.
My problem is when I try to join my website from my LAN vlan. I read the documentation. I enabled reflection but still not working.
I think my problem is due to my DMZ vlan. NAT loopback (Reflection) is only working for a website in the same LAN.
I found a discussion where someone proposed to add this :

. /lib/functions.sh
. /lib/functions/network.sh
network_get_ipaddr wan wan
network_get_ipaddr lan lan
webserver=192.168.80.99
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $webserver:443

It didn't solve my problem.

I use the latest version 18.06.2

Maybe I miss something ?

Thanks in advance

Bip

@bipbip, welcome to the community!

Add this to /etc/config/network

config redirect
   option target 'DNAT'
   option src 'wan'
   option dest 'lan'
   option src_dport '443'
   option dest_ip '192.168.80.99'
   option dest_port '443'
   option name 'HTTPS'
   option proto 'tcp'

Also, the NAT loopback is only for the IP in question, meaning you only have loopback from 192.168.80.99.

This is how you redirect from WAN IP (although some do not recommend this for security and resource reasons and just advise using a DNS name in your OpenWrt):

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '443'
	option dest_port '443'
	option src_ip '192.168.x.0/24'
	option dest 'lan'
	option dest_ip '192.168.80.99'
	option name 'REDIRECT_HTTPS_LAN'

Also, per the Community Guidelines, please refrain from signing your posts.

Much easier for me is to have split-horizon DNS -- yourservice.example.com resolves to your outside IP from the outside, to the internal IP for hosts on your LAN. Firewall rules between your LAN and your DMZ would need to allow the setup of the connection from the LAN to the DMZ.

3 Likes

Thx both.
I added an entry in /etc/hosts file.

It is working as it should.

3 Likes

I've followed your advice here as I am having issues with my setup too. With setting the port-forward (443 HTTPS traffic) to the destination zone of "lan" I am able to access from LAN to DMZ yet now anything located inside the DMZ is not able to access each other. Is this as intended?

@stansmith, welcome to the community!

Please make a new thread for your issue. Be sure to include relevant network and firewall configs.

In the OP's example, they actually continued to use the WAN and LAN (or merely the names used in the posting). The configs offered to the OP as a solution - never mentioned or involved a thrid "DMZ zone." Additionally, OpenWrt permits devices on the same VLAN to communicate, this is normal behavior in a non-routed Layer 2 network.

Further, your issue appears to be something similar to: "devices in DMZ VLAN cannot talk to each other after adding firewall rule..." much different from the OP's problem.