I’m a noob on NS (yet) and i’m trying out Nethsecurity to move over my server slowely to other distro,
Most import thing is to get Nethsecurity working.
I’ve got i running and the DHCP is giving leases to the devices. So i’ve internet on the network.
Now i want to have the incoming traffic like mail, nextcloud and SOGo webmail to be accesable from outside.
I’ve made port forwards for port 25,80 and 443 from WAN to IP 192.168.1.2 and open the ports in the firewall.
When i want to access the pages from my domain i do not get to the nextcloud papge or webmail. When i try the WAN IP i will see the webserver.
WAN IP with /nextcloud or so doesn’t work and i’ll see the Nethsecurity login page
Most importantly is using my domainname is not working at all. not even the webserver page
What am i doing wrong ?
Appreciate the help and patience
By default, all port forwards are accessible only for hosts inside the WAN. Refer to the Hairpin NAT for instructions on changing this default behavior.
I am trying to find out what “hairpin” is used for, I’ve never used that function, yet never have had any issues connecting to internal hosts - as DNS works, I always get the internal IP…
Seems a lot of people have to use “hairpin”, INHO a basic design failure…
After all, NS7 already used an “overwrite” capable DNS (DNSmasq and Unbound both can handle this correctly…), so does NethSecurity…
So why use “Hairpin”?
I do not understand why people are connecting to the external IP, for a resource which is internal…
Or is “hairpin” basically a “workaround” for people who have NO understanding of how basic DNS works?
Maybe my description of my problem was not complete.
This maybe a better explanation
www.mydomain.nl ----> WAN (NETHSECURITY) — > LAN — > LOCAL IP
I can not access the local IP on port 80 or 443 when i browse with my domain name.
When browse with the WAN IP i can get to the local IP.
I hope this expains it a bit better.
I can’t test at the moment, but will try in a few days
I’m sorry, I am trying to find out about something I never saw in NS7. As I never used NS7 really as a firewall, besides for tests and a cloud “instance”, which does not have internal users, so hairpin was never an issue…
Maybe such concepts need to be introduced at some point?
“Assuming” everyone wants and needs an all-in-one may also be considered “rude”…
But yes, there was no option in any of NS7 GUIs to correctly handle CNAMEs which were NOT NethServer itself… So hairpin is basically a workaround for this (also).
May be a good idea to write a small How-To about split-horizon DNS, as this function / concept is now known… It seems a lot of users would / could benefit from a better understanding of DNS, still a key component in almost any IT function…
According to Wikipedia (EN)
In computer networking, split-horizon DNS (also known as split-view DNS, split-brain DNS, or split DNS)
See if I can find some time to write a How-To on this…
My 2 cents
Andy
PS:
In my day, it was almost exclusively known as “split-brain dns”, now the “politically correct” term is “split view dns”… As Shakessphere said: “A rose by any other name”…
Interestng side note:
In the english Wiki, the article is known as “Split-horizon DNS”, in the german Wiki, it’s titled simply: “Split DNS”. All other references are redirected…
