Suddenly unable to reach YunoHost user interface, Admin panel fully functional

My YunoHost server

**Hardware:Zotac Zbox EN760 SFF PC.
YunoHost version: 11.2.9.1
I have access to my server : Through the web admin panel and through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If your request is related to an app, specify its name and version: not related to a specifc app

Description of my issue

The user interface suddenly became inaccessible from my local network last night, I can still access the admin panel, diagnostics shows no issues, and there are no logs from around the time that this started occurring that I can yunopaste, sorry. I can access all user services from external connections, and hairpin NAT is still enabled on my EdgeOS router. I am able to access the services from from my guest network that has it’s own subnet and is isolated from my internal subnet.

Honestly I am unsure where to start troubleshooting, most of the forum posts about this issue suggest adding manual DNS entries in local devices’ hosts files, but this is not a viable solution for me as I have a number of embedded devices, and devices that roam between internet connections, that need to access Yunohost services. I can set up a local DNS server if necessary, but I would prefer to avoid it if possible. My best guess is that something in Yunohost is seeing the request from a local IP and is blocking it.

This is really confusing me as it worked yesterday (and for 2 years before that) with no issues, and no configurations changed during this time. I have rebooted both my router as well as my Yunohost machine but it does not seem to make any difference.

Hi, have you tried to just clear the cash of your browser?
Reboot the server?

What do you mean? Do you have error messages? What the web browser console says? Did you try connecting using private mode?

Hi Tomas, thanks for your suggestions.

I have rebooted the server twice, rebooted my router once, and cleared all cache and cookies on my browser. Unfortunately none of these have had any effect.

If I click on “user interface” in the admin panel while accessing it from the local IP, or if I navigate to my domain name while connected to the same subnet/VLAN as the server Firefox gives me the error “connection timed out”. This does persist while in private mode and the Firefox console simply says “This error page has no error code in its security info”. It also persists across many devices so I doubt it is browser related. There is no error message that I can find in any console or log file.

When you ping your domain? Try to disable hairpin and enable it on the router

Hi Jarod, thanks for your reply.

When hairpin is disabled the domain name directs me to the router’s configuration page. when re enabled it reverts back to the conditions described in my prior post.

When ping my domain name I get sub millisecond replies from my public/WAN IP address.

Maybe you need to set up local hostnames on your router?
if you have a linux client you can see where your domain gives in return with nslookup

$ nslookup mydomain.com
Name:   mydomain.com
Address: <local or external ip??>

Hi Tomas, thanks for the suggestion.

NSlookup returns my public IP as a reply. I do not have any sort of local nameserver, all of the devices on my network use public nameservers.

If my understanding is correct, the local client will send it’s request to the public IP, which is my router. Then, because hairpin NAT is enabled, the router will check it’s port forwarding table and forward my request to the correct local IP for that port.

I could set up a local nameserver and use .local addresses, but this would not solve the issue of roaming devices that only spend some of their time on the network as reconfiguration would be required for all of the separate client applications every time they join or leave the local network.

From a technical perspective I am having trouble seeing why local devices couldn’t use the local domain name with hairpin NAT. This was working previously for years and there was no configuration or firmware change on either the YunoHost system or any of my network devices when this issue arose. I suppose it is possible that my ISP pushed some sort of update to their modem, but as my EdgeOS router has my WAN IP assigned to it local requests for that IP shouldn’t even make it to the modem.

Ok, I had similar problems(?) and I have to configure my DNS to point to my local IP using local hostnames. This gives my nslookup showing my local IP.
Maybe worth trying - https://help.ui.com/hc/en-us/articles/115010913367-EdgeRouter-DNS-Forwarding-Setup-and-Options#1
See " Customizing the DNS Forwarding Options"

Hi Tomas,

To clarify, you are using the DNS forwarder to tie your public domain to a local IP? Or are you tying a .local address using the forwarder?

Thanks

To tie your public domain to a local IP.

Tomas,

Thanks for your help. This solved it. I am not sure why this was necessary as it worked before, but it is working now in any case. Though there are some issues with applications such as Firefox that are often configured to use their own DNS, but that is not insurmountable on my end.

Nice! Yeah, networking can be like magic

Tomas,

Unfortunately I may have spoken to soon, white it was working in my initial testing, it reverted back to failing again within a few minutes, and has been in and out since then.

Honestly this is somehow more confusing than it was before.

NSlookup shows the domain pointing to the correct internal IP from the router’s nameserver.

The services are still consistently accessible from my guest network and WAN.

Did you reboot your client?

Tomas,

The ones that I can reboot without taking services down yes (I will need to schedule those). On the ones that I couldn’t I flushed the DNS cache. It is intermittent across all clients I have tried. I will give it a day and check back in to try and rule out cache issues.

Hi Tech_Geekt97,

What a frustrating problem!

Do I understand correctly:

• from Yunohost LAN:
  • access to admin page via IP
  • no access to SSO page via domain name
• from guest LAN:
  • access to admin page via IP
  • access to SSO page via domain name
• from guest WAN:
  • access to admin page via IP
  • access to SSO page via domain name

When you mention domain name: which one? I read ‘local’, do you mean .local or the regular FQDN with a local IP in public DNS?

I’m not familiar with EdgeOS devices. Could they have an option enabled (via a recent update) that prevents DNS-rebind attacks? (It would not really explain the case where access via guest is still possible; perhaps different rules for guest networks.)

Does nginx’ access log show anything while trying to access the SSO page? Or a picky fail2ban filter? Does you router have complicated firewall rules, or an interface to view logging?

Hi wbk,

Thanks to your reply I have figured it out!

I had recently reinstalled Nextcloud due to the issue I describe in this thread

This led to a reset on all authorized clients. A nextcloud android app with auto-upload enabled was making endless authentication attempts causing a fail2ban block on the IP, in this case my router’s IP which was sending all the LAN requests due to hairpin NAT. I was able to discover this as the issue followed that android device.

I had considered fail2ban before, but based on this YunoHost documentation page, and SSH being unaffected led me to rule it out initially as I believed that fail2ban only affected SSH connections, which is not the case.

Manually removing the IPs from jail (as well as adding a whitelist entry for my router’s IP for future resiliency) has solved the issue.

I have also removed my local DNS server so that I have 1 less service to manage, but I am sure it would have continued to work fine with it in place.

I will report back if I run into further issues, but I do not expect any.

Thanks to everybody for their help it is greatly appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.