Website Host Inside VLAN; Access FQDN from another VLAN Rejected request from RFC1918 IP to public server address

Issue: When I attempt to access www.example.com( 192.168.21.2 hosted by WebHost VLAN ID21) from WindowsPC1 (VLANID10 192.168.10.2) I receive error "Rejected request from RFC1918 IP to public server address".

I found this: OpenWRT Post #1
& Post #2

But to say I don't really understand how to accomplish either would be an understatement.

I've only been using the GUI so the conf files they are referring to I have been looking to for equivalents to in the GUI. I suppose I would need to SSH into the router to access them.

I know I can access the host at least using its private address, I can access the website host if i use another device on a different network. Very similar case to the other posts.

But you gotta be patient with me as this is the most in depth setup i've ever tackled, very new to this besides knowing how to flash a different OS to a router.

To my understanding, I need to setup a redirect or a rule, not sure of what kind though, that when a device from within the network attempts to connect to the FQDN it redirects it to the private address. But Im just about ready to bang my head on the wall.

But hopefully that's enough of that heres some diagrams

Things I've read:

I just haven't seem to have grasped it yet from what I've found.

thanks.

Welcome to the community. See this post with an example redirect rule to change the IP.

If you have difficulties adapting them to your interface names, just ask us.

Thank you,

I tried what you recommended:

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.1.0/26' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.21.2"
	option dest 'lan' #<---place packet in same network SRC packet

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.10.0/26' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.21.2"
	option dest 'Internet' #<---place packet in same network SRC packet

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '443'
	option dest_port '443'
	option src_ip '192.168.1.0/26' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.21.2"
	option dest 'lan' #<---place packet in same network SRC packet

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '443'
	option dest_port '443'
	option src_ip '192.168.10.0/26' #<---SRC network
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.21.2"
	option dest 'Internet' #<---place packet in same network SRC packet

But then after a reboot I no longer was receiving an ip from any vlan id and would time out if I set a static address and attempted to access luci. I reset the router to get back in.

My next question would be which file would this go in?

I was able to ssh in and look at it and I just appended that to the end of the file /etc/config/firewall

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#hostnames

https://forum.openwrt.org/t/cant-reach-public-ip-from-within-lan/110520

https://forum.openwrt.org/t/22-03-2-nat-reflection-hairpinning/146458

Had never gotten it working, then waited. Thought I'd check for an update and see if some of the options I was recommended would appear within gui. No avail, I still hadn't learned much more about my issue. Then I started searching again, and stumbled upon the links above and ended up just adding the domain name entries and set the ip for them:

uci add dhcp domain
uci set dhcp.@domain[-1].name="my.domain"
uci set dhcp.@domain[-1].ip="host.ip.address"
uci add dhcp domain
uci commit dhcp
service dnsmasq restart

I had to do this for my subdomains as well but I don't have that many so I didn't mind this option. It works and I don't have to mess with host files across multiple devices.

Despite this working, I was still interested in figuring out how the NAT hair pinning / reflection zone worked as it seemed the issue arises when using vlans. Either way, I would say this thread is done. Thanks for the help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.