Server in DMZ not reacheable from "inside"

tompatulpan · January 28, 2024, 9:09am

Iv searched and seen a lot of different issues on this, but after trying to solve this for a long time I need some help

OpenWrt 22.03.2 on x86

What I'm trying to achieve:
Put my web server in a DMZ on a separate interface with a public domain reachable from within my own LAN on the same router (and from outside course)

I can ping the domain from within the network and all looks correct from outside with SSL cert.

Problem within my network:
SSL Error in browser
Forbidden Rejected request from RFC1918 IP to public server address

My config:

# network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd25:7e28:693d::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        option device 'eth1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option device 'eth0'

config interface 'ZT0'
        option proto 'none'
        option device 'dtyf789sa2by'
        option auto '0'

config route
        option target '192.168.10.0/24'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '192.168.1.2'

config route
        option target '192.168.11.0/24'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '192.168.1.2'
        option disabled '1'

config interface 'Media'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'eth3'
        option ipaddr '192.168.4.1'

config interface 'LAN2'
        option proto 'static'
        option device 'eth2'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option ip6assign '64'

# dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option port '5353'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dns '2001:9b1:40db:e700::5b2 fd25:7e28:693d::5b2'
        list dhcp_option '6,192.168.1.8'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Media'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'Media'
        option ra_management '1'
        list dhcp_option '6,9.9.9.9'

config dhcp 'LAN2'
        option interface 'LAN2'
        option start '100'
        option leasetime '12h'
        option ra 'server'
        option dhcpv6 'server'
        option dns_service '0'
        list ra_flags 'other-config'
        option limit '150'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

config host
        option name 'HomeAssistant'
        option dns '1'
        option mac 'DC:A6:32:4A:F3:02'
        option ip '192.168.1.8'

config domain
        option name 'mydomain.com'
        option ip '192.168.3.123'

# firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        list network 'lan'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option output 'ACCEPT'
        list network 'LAN2'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'DMZ'

config zone
        option name 'media'
        option output 'ACCEPT'
        list network 'Media'
        option forward 'REJECT'
        option input 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'zero'
        option input 'ACCEPT'
        option masq '1'
        list network 'ZT0'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'zero'

config forwarding
        option dest 'wan'
        option src 'zero'

config forwarding
        option dest 'zero'
        option src 'lan'

config rule
        option dest_port '9993'
        option src '*'
        option name 'Allow-ZeroTier-Inbound'
        option target 'ACCEPT'
        list proto 'udp'

config forwarding
        option dest 'wan'
        option src 'media'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option src 'DMZ'
        option name 'DMZ - DNS'
        option src_port '53'

config rule
        option dest_port '67 68'
        option target 'ACCEPT'
        option src 'DMZ'
        option name 'DMZ -  DHCP'
        option src_port '67 68'

config rule
        option src 'media'
        option target 'ACCEPT'
        option dest_port '53'
        option src_port '53'
        option name 'Media - DNS'

config rule
        option dest_port '67 68'
        option src 'media'
        option target 'ACCEPT'
        option src_port '67 68'
        option name 'Media - DHCP'

config forwarding
        option dest 'wan'
        option src 'DMZ'

config redirect
        option target 'DNAT'
        option name 'YH (http)'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.3.123'
        option dest_port '80'
        option dest 'DMZ'

config redirect
        option target 'DNAT'
        option name 'YH (https)'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.3.123'
        option dest_port '443'
        option dest 'DMZ'

config rule

config forwarding
        option src 'lan'
        option dest 'DMZ'

Any help appreciated!
/T

frollic · January 28, 2024, 9:40am

Is it the xroad.se ?

Did you add the same name to your local DNS, with the 192.168.3 IP ?

tompatulpan · January 28, 2024, 9:50am

Thanks for your replay frolic
ups, yes it is (will edit).

Iv tried but not really understood how to add it?
Can you tell me how to add it to "local DNS"?

pavelgl · January 28, 2024, 9:56am

tompatulpan:

config domain
        option name 'mydomain.com'
        option ip '192.168.3.123'

Domain name rebinding will not work for lan clients because they are using a different DNS server.

frollic · January 28, 2024, 10:12am

DHCP and DNS -> Hostnames, if using Openwrt as DNS (as @pavelgl pointed out).

Add the FQDN, with the 192.168.3 IP.

Also make sure your clients use your DNS when they perform queries.

tompatulpan · January 28, 2024, 10:34am

Thanks guys!
I think I understand the basics, but still some details missing

as @pavelgl pointed out, my DNS (Adguard) is on 192.168.1.8 and pointing to upstream DNS-servers.

Iv added local DNS to Openwrt (and rebooted) but its not resolved.

config domain
        option name 'mydomain.com'
        option ip '192.168.3.123'

So am I doing it wrong with my local DNS config somehow?

frollic · January 28, 2024, 11:02am

If your DNS is AGH, you need to add the entry to AGH, or switch back to dnsmasq, and use the AGH as upstream DNS.

tompatulpan · January 28, 2024, 11:03am

yeah, Iv tried that too, maybe just doing that wrong...?
Will test some more.

pavelgl · January 28, 2024, 11:07am

If you don't want to change the DNS setting, a possible workaround would be to add a reflection zone to the DNAT rules.

config redirect
        option target 'DNAT'
        option name 'YH (http)'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.3.123'
        option dest_port '80'
        option dest 'DMZ'
	    list reflection_zone 'lan'

config redirect
        option target 'DNAT'
        option name 'YH (https)'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.3.123'
        option dest_port '443'
        option dest 'DMZ'
	    list reflection_zone 'lan'

frollic · January 28, 2024, 11:07am

Assuming the config is correct, you still need to make sure your clients actually use your DNS.

You can verify the config using nslookup.

tompatulpan · January 28, 2024, 12:23pm

hmm, not sure what it says

nslookup mydomain.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   mydomain.com
Address: <correct ipv4>

frollic · January 28, 2024, 12:23pm

That's not on a client though, is it ?

tompatulpan · January 28, 2024, 12:42pm

It depends what we are calling a client. Its from a PC on my LAN.

$ nslookup google.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.74.78
Name:   google.com
Address: 2a00:1450:400f:803::200e

edit:

$ resolvectl status
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
      DNS Domain: lan

Link 2 (enp37s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fde6:9918:2577::1
       DNS Servers: 192.168.1.8 fd25:7e28:693d::1 fde6:9918:2577::1
        DNS Domain: lan

frollic · January 28, 2024, 1:11pm

Then you client doesn't appear to be using the DNS provided by your LAN, at least no directly.

tompatulpan · January 28, 2024, 1:25pm

Isn't the resolvectl status showing it does DNS Servers: 192.168.1.8 ?

frollic · January 28, 2024, 1:26pm

It does, but nslookup is using 127.0.0.1 by default, which means you have a DNS running on the host.

You could try nslookup xroad.se 192.168.1.8, to force nslookup to use your DNS.

tompatulpan · January 28, 2024, 1:29pm

output:

nslookup mydomain.com 192.168.1.8
Server:         192.168.1.8
Address:        192.168.1.8#53

Non-authoritative answer:
Name:   mydomain.com
Address: 192.168.3.123

frollic · January 28, 2024, 1:30pm

That's the correct IP, right ?

And if you skip the forced DNS server IP, in nslookup ?

tompatulpan · January 28, 2024, 1:33pm

yes, correct local IP

nslookup mydomain.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   mydomain.com
Address: <correct EXTERNAL IP>

frollic · January 28, 2024, 1:34pm

Err, local <> external, which one is it ?

If it comes back with the external/public IP, your client is bypassing your own DNS.