Show real device IP when accesing public domain from my network

Hello,

Running openwrt v21.02

When I access my server domain:port, (set by ddns) on my network from inside the network, httpd-access.log show the address of my router. NAT loopback is enabled. That is:

192.168.1.2 - - [27/Sep/2023:17:17:21 +0100] "GET /settings/admin/logging HTTP/1.1" 200 13173

192.168.1.2 is my router address but I'm accessing from my pc, let's say, 192.168.1.213.

This causes a lot of problems because nextcloud is throttling the router accesses for excess attempts within a time frame, when what is happening is a lot of other devices in the network (phone, tablet, other pc's, ...) accessing the server but nextcloud only sees the router address.

Could somebody help, please? Thank you.

Use IPv6 or split DNS to avoid NAT:

Or move the server to a separate subnet.

3 Likes
1 Like

Note that SNAT is mandatory for NAT loopback if the source and destination are on the same subnet.
The option reflection_src you linked only changes between the LAN and WAN IP of the router.

1 Like

@lleachii
Thank you for the suggestion.

If I switch to external IP the problem remains, that is, all the accesses from within my network have the same public IP, instead of the router IP.

@ vgaetera

Thank you for the suggestion.

I'm tying to avoid ipv6 on my network because, to start, it's a unknown territory and then it would raise other worse issues.

Moving to another subnet would also raise other questions, mainly access for maintenance; it's a Truenas server with many jails and VM's.

@vgaetera
So, isn't there a way to log the real local device IP making the access? It seems nonsense.

Not sure if it shows the source ip correctly, but what i did for my wireguard is to forward any traffic directed at my public ip address for the wireguard port to the router itself. I have a double NAT with my openwrt router in the dmz of the isp router. In this way i avoid u-turn traffic if i use the vpn locally. But maybe if you do the same it shows for you the correct ip?

You can also use split DNS or perhaps a reverse proxy.

1 Like

(Wow, that means the OP in the other thread still had an SNAT rule - despite saying no. LOL, thanks.)

1 Like

Tried split DNS (host name), doesn't work. My server is a Truenas with several jails, one of them being a webserver with multiple virtual hosts using different internal IP's and ports; one of them is nextcloud. So, I think this is correct:
uci add dhcp domain
uci set dhcp.@domain[-1].name="mypublicdomain.com:4443"
uci set dhcp.@domain[-1].ip="192.168.1.10:4443"
uci commit dhcp
/etc/init.d/dnsmasq restart

As I said, the log still shows source = 192.168.1.2

As to reverse proxy, seems a good idea but it takes considerable work to implement giving all the servers I have.

1 Like

I can't remove the port because there are other virtual hosts using this domain on other ports.
Yes, my DHCP supplies the DNS address (router), so all devices use it.
I've never touched DOH setting on any browser; is it enabled by default? I can't find the setting on Firefox, which is what I use on all devices.
I don't know what DOT is, I searched but could only find a browser type.
EDIT: Just found it following your link, thank you. Will try this.

I just read that it's possible to make nextcloud trust a specific address. I'm going to try that path now, seems easier.

Thank you all.

The original and redirected destination ports must match, that's a mandatory requirement for split DNS to work, and if you cannot make it, this method is not suitable for you.

Modern desktop and mobile browsers and mobile OS often enable DoH and DoT by default.


By the way, there was recently a thread discussing a similar problem:
How to have resilient port forwarding DDNS when internet is down

1 Like

Many thanks, it's working with split DNS :smiley:. I just had to take out the ports from the host definition as you said.

Now I just have to set domain aliases for the other servers that have a different IP and setup another split DNS's for those.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.