**Hardware:Zotac Zbox EN760 SFF PC. YunoHost version: 11.2.9.1 I have access to my server : Through the web admin panel and through SSH Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no If your request is related to an app, specify its name and version: not related to a specifc app
Description of my issue
The user interface suddenly became inaccessible from my local network last night, I can still access the admin panel, diagnostics shows no issues, and there are no logs from around the time that this started occurring that I can yunopaste, sorry. I can access all user services from external connections, and hairpin NAT is still enabled on my EdgeOS router. I am able to access the services from from my guest network that has itâs own subnet and is isolated from my internal subnet.
Honestly I am unsure where to start troubleshooting, most of the forum posts about this issue suggest adding manual DNS entries in local devicesâ hosts files, but this is not a viable solution for me as I have a number of embedded devices, and devices that roam between internet connections, that need to access Yunohost services. I can set up a local DNS server if necessary, but I would prefer to avoid it if possible. My best guess is that something in Yunohost is seeing the request from a local IP and is blocking it.
This is really confusing me as it worked yesterday (and for 2 years before that) with no issues, and no configurations changed during this time. I have rebooted both my router as well as my Yunohost machine but it does not seem to make any difference.
I have rebooted the server twice, rebooted my router once, and cleared all cache and cookies on my browser. Unfortunately none of these have had any effect.
If I click on âuser interfaceâ in the admin panel while accessing it from the local IP, or if I navigate to my domain name while connected to the same subnet/VLAN as the server Firefox gives me the error âconnection timed outâ. This does persist while in private mode and the Firefox console simply says âThis error page has no error code in its security infoâ. It also persists across many devices so I doubt it is browser related. There is no error message that I can find in any console or log file.
When hairpin is disabled the domain name directs me to the routerâs configuration page. when re enabled it reverts back to the conditions described in my prior post.
When ping my domain name I get sub millisecond replies from my public/WAN IP address.
NSlookup returns my public IP as a reply. I do not have any sort of local nameserver, all of the devices on my network use public nameservers.
If my understanding is correct, the local client will send itâs request to the public IP, which is my router. Then, because hairpin NAT is enabled, the router will check itâs port forwarding table and forward my request to the correct local IP for that port.
I could set up a local nameserver and use .local addresses, but this would not solve the issue of roaming devices that only spend some of their time on the network as reconfiguration would be required for all of the separate client applications every time they join or leave the local network.
From a technical perspective I am having trouble seeing why local devices couldnât use the local domain name with hairpin NAT. This was working previously for years and there was no configuration or firmware change on either the YunoHost system or any of my network devices when this issue arose. I suppose it is possible that my ISP pushed some sort of update to their modem, but as my EdgeOS router has my WAN IP assigned to it local requests for that IP shouldnât even make it to the modem.
Thanks for your help. This solved it. I am not sure why this was necessary as it worked before, but it is working now in any case. Though there are some issues with applications such as Firefox that are often configured to use their own DNS, but that is not insurmountable on my end.
Unfortunately I may have spoken to soon, white it was working in my initial testing, it reverted back to failing again within a few minutes, and has been in and out since then.
Honestly this is somehow more confusing than it was before.
NSlookup shows the domain pointing to the correct internal IP from the routerâs nameserver.
The services are still consistently accessible from my guest network and WAN.
The ones that I can reboot without taking services down yes (I will need to schedule those). On the ones that I couldnât I flushed the DNS cache. It is intermittent across all clients I have tried. I will give it a day and check back in to try and rule out cache issues.
When you mention domain name: which one? I read âlocalâ, do you mean .local or the regular FQDN with a local IP in public DNS?
Iâm not familiar with EdgeOS devices. Could they have an option enabled (via a recent update) that prevents DNS-rebind attacks? (It would not really explain the case where access via guest is still possible; perhaps different rules for guest networks.)
Does nginxâ access log show anything while trying to access the SSO page? Or a picky fail2ban filter? Does you router have complicated firewall rules, or an interface to view logging?
This led to a reset on all authorized clients. A nextcloud android app with auto-upload enabled was making endless authentication attempts causing a fail2ban block on the IP, in this case my routerâs IP which was sending all the LAN requests due to hairpin NAT. I was able to discover this as the issue followed that android device.
I had considered fail2ban before, but based on this YunoHost documentation page, and SSH being unaffected led me to rule it out initially as I believed that fail2ban only affected SSH connections, which is not the case.
Manually removing the IPs from jail (as well as adding a whitelist entry for my routerâs IP for future resiliency) has solved the issue.
I have also removed my local DNS server so that I have 1 less service to manage, but I am sure it would have continued to work fine with it in place.
I will report back if I run into further issues, but I do not expect any.
Thanks to everybody for their help it is greatly appreciated!