When I try to configure the access to NextCloud calendar or contacts, I get the SSL certificate of the Fritzbox displayed… a string ending on …myfritz.net.
I have created a subdomain called nextcloud.mydomain.de. I configured an SSL certificate with Let’s encrypt for that domain. The access is is successfully forwarded to Dyndns adress and a server in my home network. It works great, when I type https://nextcloud.mydomain.de in the web browser - but not via CalDAV or CardDAV.
the “internal link” which is displayed in the web interface when I click on (literally translated): Edit and share calendar
There is either an error message or the details of the SSL certificate of myfritz.net. I added the domain name to the Rebind protection in the Fritzbox, restarted the router - no success. What else can I do that the domain name is forwarded to the NS8 server and the correct certificate is accessed?
I think the issue is that on the Iphone the domain nextcloud.mydomain.de is resolved to the public IP.
So the iphone connects to the fritzbox but as it comes from LAN the port forward to the NS8 is not done, therefore the cert of the fritzbox is shown.
Possible solutions:
Add a DNS entry for nextcloud.mydomain.de on the fritzbox pointing to the LAN IP of the NS8. The Iphone needs to use the fritzbox as DNS server when it is inside the LAN.
Enable hairpin NAT (also called NAT reflection or NAT loopback) on the fritzbox to enable port forwards from LAN but I don’t know if it’s supported on fritz devices.
I don’t think that will work.
If a public DNS server resolves a domain name to an IP address from the local network area of the FRITZ!Box, the DNS server of the FRITZ!Box blocks this DNS response and does not forward it. This is probably intended to prevent potential attackers with disguised name servers from gaining access to the home network of FB users via DNS rebinding.
Then perhaps this is an innovation. However, I only use the FB in the “castrated” version on my cable business connection. A HW firewall behind it is a must.
Sorry for the delay: I configured the DNS rebind exception for nextcloud.mydomain.de in the Fritz interface - no success.
I also tried the access from outside the local network - also without success.
Then I tried to configure a different internal DNS server (so that not the Fritzbox is used as DNS but the requests should have been forwarded to the configured local one… did also not help with my problem.
I did not find the possibility to configure a separate DNS record in the Fritz interface… maybe I’ll have to configure some sort of HW firewall behind it, as Uwe mentioned.
If you do this, you will receive a link with the UUID like https://nextcloud.yourdoainde/remote.php/dav/principals/users/724C60D-AFA9-4A31-98C3-1M2803A32B13/
FritzBox does not provide a full-fledged DNS server. If you want to run a server at home, it won’t work without one.
I would always recommend a dedicated gateway between the FritzBox and the local network to ensure network separation.
The Fritzbox then only acts as a DSL modem. The WLAN on the FritzBox should also be deactivated.
All local clients are then located behind the gateway.
These can be different devices: boxes with OPNSense, NethSecurity or my preference UniFi Cloud Gateway Ultra .
If you compare the costs of purchase, configuration and administration in the lifecycle, you will find that you are best off with it. Not to mention the functionality and usability.
Hmmm, thanks… I’m always a bit sceptical about such devices using a USB-C power adapter… but okay, I like the Unifi products in general… have multiple switches at several customers which all work greatly.
Probably I will have to restructure the network and use an intermediate gateway.
