overview for nap

[Vote] Should we defederate from maga.place? in c/agora@sh.itjust.works

[–] nap@sh.itjust.works 7 points 4 days ago

Yes

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 1 points 6 months ago

Update: ditched the second OpnSense and figured out that MTU discovery with PVE and stuff needs some hard tweeking. Got it to work now. Hit me up for guidance 😅

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 1 points 8 months ago (1 children)

Should the nginx Proxy receive that package? If i trace between the LAN Host and GW, there are no Public IP's

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 2 points 8 months ago

I think I let it rest for a day, I'm confused

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 2 points 8 months ago (3 children)

Hm, could be a little bit much but Public IP -> WG0 -> Proxy -> Router -> Server and back should not be ok?

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 1 points 8 months ago (2 children)

What? That's totally confusing. Took my Laptop (192.168.35.242), tethered to my Mobile (192.168.35.116) and wiresharked. 192.168.35.0/24 should never ever be a part of my Network.

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 3 points 8 months ago (4 children)

Never got the time to learn to read Captures :'(

At a time I tried to use two proxies but I changed it back to one. The host I try to reach is a Docker Host with Immich running. So the only real proxy should be "192.168.1.1".

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 1 points 8 months ago (5 children)

There is one DNAT rule at the public OPNsense routing the HTTP/s traffic to my proxy. Inside my DMZ an LAN is no NAT, only routing. Back out again there is a Masq/SNAT rule for my local IPs

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 3 points 8 months ago (6 children)

green boxes are IP, red are FQDN

Curl capture (made first so DNS is captured aswell)

Firefox capture

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 3 points 8 months ago

I tested with my Mobile with LTE and got the same results

Need Support: DMZ at home with nginx proxy to LAN in c/selfhosted@lemmy.world

[–] nap@sh.itjust.works 2 points 8 months ago (7 children)

Ah sry, bad choise but i masked my real LAN IPs

41

Need Support: DMZ at home with nginx proxy to LAN (sh.itjust.works)

submitted 8 months ago by nap@sh.itjust.works to c/selfhosted@lemmy.world

20 comments fedilink

Hey,

currently I am at a loss with my setup and can't figure out whats going wrong. I'm preparing a migration of my private root server to my @Home Setup. The idea was to create a DMZ for all those Server with Public Internet Access and put them into a DMZ.

Now I got a Public OPNsense, some Modem from my ISP, a Unifi Dream Machine (that manages LAN and stuff) and another OPNsense inside my DMZ.

There is a Wireguard Tunnel connecting the two OPNsense, the local one got a 0.0.0.0/0 route as Peer Network.

If I now try to access any Website, managed by the Nginx Proxy 192.168.1.1/24, it works fine as long as the Website is inside the DMZ.

My Problem now is to make the green path happen to access stuff inside my LAN over the Public OPNsense.

The proxy is able to curl the LAN Websites and i can Ping and Trace all the IPs but something is broken. I can see the Packages arrive at the LAN website and make it back to the public OPNsense but my browser will always get a "timed out" :'(