Rejected request from RFC1918 IP to public server address

bkalai · January 16, 2025, 8:01pm

I have a RP3 connected to wan on usb network adapte.r
Wireguard adapter connected to NordVPN
et0 is connected to a managed switch and I have 2 vlans
I vlan-a that is behind the vpn and the other vlan-b is exposed to the internet
I have two rules in PBR to have vlan-a the vpn and vlan-b to the wan
on the unprotected network I'm hosting a mailcow server with all the appropriate ports redirected via the wan zone to the appropriate server. Mailcow is working receiving and sending emails as well as webmail. the problem is when I try to get to the mailcow server from the protected vlan, I get "Rejected request from RFC1918 IP to public server address". I tried to change the uhttpd to have port 80 and port 443 to LuCi's Ip but then nothig worked including access to Luci
cat dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '20'
	option limit '70'
	option leasetime '12m'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'nord'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'nord'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'nord'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'
	option mtu_fix '1'

config forwarding
	option src 'dmz'
	option dest 'wan'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'http'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'https'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Postfix SMTP'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Postfix SMTPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '465'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Postfix Submission'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Dovecot IMAP'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '143'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Dovecot IMAPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Dovecot POP3'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '110'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Dovecot POP3S'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '995'
	option dest_ip '10.20.7.231'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'Dovecot ManageSieve'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '4190'
	option dest_ip '10.20.7.231'

cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd04:dde4:54b9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan.200'
	option proto 'static'
	option ipaddr '10.0.7.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'nord'
	option proto 'wireguard'
	option private_key reducted
	list addresses '10.5.0.2/32'
	option mtu '1412'
	list dns '103.86.96.100'
	option delegate '0'

config wireguard_nord
	option description 'nord'
	option public_key 'reducted'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'us10576.nordvpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'eth0:t'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr '10.20.7.1'
	option netmask '255.255.255.0'

cat uhttpd

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '0'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

Thanks in advance

_bernd · January 16, 2025, 9:24pm

Sounds like dnsmasq rebind protection. It's enabled by default. Check and in case disable that.

bkalai · January 16, 2025, 11:47pm

I made the change and now i'm getting the connection is not private and it's using the self signed certificate from Luci instead of the actual certificate And the rfc error is still there

bkalai · January 16, 2025, 11:52pm

does this has any thing to do with this

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'

bkalai · January 17, 2025, 3:35pm

I have made the change to the rebind protection as recommended by _bernd but the RFC error didn't go away and the system is using LuCi's self signed certificate.

bkalai · January 17, 2025, 4:53pm

Why is Luci hijacking the certificate?

curl https://mail.barak-kalai.com

returns curl failed to verify the legitimacy of the server

_bernd · January 17, 2025, 5:54pm

I think or assume it's based on which addresses are configured to be listening on and what the cert contains.

LilRedDog · January 17, 2025, 6:40pm

They all say the same thing:

This usually happens when you try to access your router by its public (WAN) IP address from your LAN.

If that's the case and you are in your home network try accessing the router's WebGUI by its LAN IP address (192.168...) or http://tplinkwifi.net

bkalai · January 17, 2025, 7:00pm

I'm not trying accessing the router but the public ip of a server on another vlan

LilRedDog · January 17, 2025, 7:05pm

?
Surely I did not read more of the hits than you did that explain how mailcow gets confused and you need to forward some ports; did I?

Anyway, given the number of hits, its a mailcow issue.

Get an understanding and we will help get the right ports opened safely.

_bernd · January 17, 2025, 8:27pm

I don't see anywhere a srcnat rules.
Clients from lan should be natted/masquerade on wan, and then routing takes place and then the dnat rule.

bkalai · January 18, 2025, 2:37pm

It's not a Mailcow missue as it works on the unprotected network just fine look at the config attached to the post

LilRedDog · January 18, 2025, 3:01pm

Okay,

I'll give you the firewall (OpenWrt) needs to open a port because the VPN is tricking mailcow into thinking it is getting a request from an untrusted source.

I got enough out of perusing the hits to understand that much; just that much.
You need to tell us what the mailcow community suggests and we will help you do that.

Is this not, practically, the same situation?

Does this not explain what is going on?

But we do not know mailcow and we do not know the best ports.

BTW:
those are on the first page of the search and in the top 3 hits. I'm not going to learn mailcow nor find your optimal port(s).