Accessing services on NAS with DDNS from LAN not working Turris Omnia

I am using a Turris Omnia with OS 3.10.5 and I have a Synology DS216+II NAS connected.

When I access the NAS services from outside of home with the DDNS address it works fine, I can use the services like the Moments-App on my iPhone to backup e.g. the pictures. But when I’m in the internal LAN it doesn’t work when I try to access via the DDNS address, I have to use the internal IP 192.168.1.107 to get it to work. That is not feasible, because if I configure it with the internal IP it won’t work when I’m not home.

Any ideas? NAT loopback option is checked in the different port forwards… The same setup works fine when I connect my other router (Netgear R7800 with DD-WRT).

Hi,
can you reach your NAS at all from your home network when using the DDNS address? E.g. if you have a (temporally) enabled port forward from wan port 80 to port 5000 on 192.168.1.107, can you access the Syno DSM login page via http?
Can you access other hosts on the same DDNS domain?
I have a 214+ and every thing worked as expected when I tested it for using Drive. However, I decided the Syno applications are not what I wanted and I disabled all of them. Moreover, I only use OpenVPN or ssh to access my home network.

No, it doesn’t work:

I if e.g. try to access from my LAN: https://my-DDNS-address.me:5001
I don’t get access.

If I type https://192.168.1.107:5001
it works.

From an external access/WAN it works… just not in the internal LAN…

Ok, to me this sounds like a DNS resolving problem in you lan. Did you check access from devices on your lan other than the iPhone? Can you ping/traceroute your ddns host from your lan? Which DNS server is configured for your phone?

I found the issue: it seems to be a problem with VPN policy based routing and/or the open VPN client connection. I have a OpenVPN connection open in the Turris Omina that is used only from one client by policy based routing (its not the computers that have problem accessing the DDNS from the LAN and also not the Synology NAS), all other computers/phones go over the normal WAN. When I disable the OpenVPN connection and policy based routing it works… Will be hard to figure out why it is not working with this setup…

It seems only to be an issue of the OpenVPN Client connection of the Turris Omnia. When I enable the VPN connection the access DDNS is lost within the LAN (working from WAN/external access), no matter if VPN policy based routing is activated or not.

Does anybody have an idea how to solve this?

Did you set up static hosts via kresd (→ link) for your syno ddns-address? That way the access is not running via external DNS but directly via TO DNS. Maybe that solves your issue.

Hi ssdnvv

thank you for your reply. I didn’t try that yet. What entry do I have to add to

/etc/kresd/custom.conf

for my DDNS-address? It isn’t explained in detail.

Thanks for your help!

If the LAN address is static, just add the name-address pair to a hosts-like file https://doc.turris.cz/doc/en/public/dns_knot_misc#adding_static_address_records

In /etc/hosts enter 192.168.1.107 my-DDNS-address.me and add a blank row below.

In /etc/config/resolver in section config resolver 'kresd' add following row

	list hostname_config '/etc/hosts'

afterwards execute /etc/init.d/resolver restart and test via ping - you should be routed now directly to 192.168.1.107 when trying to access my-DDNS-address.me

I tried, doesn’t work…

Did you add the blank row below last row in /etc/hosts? Without that it won’t work
Please post your /etc/hosts and /etc/config/resolver files.

Yes, I entered a blank row. The problem only is there when I open the OpenVPN connection (even though the affected clients aren’t routed through the VPN tunnel)

here are the files:

/etc/hosts (there is a single blank row at the end, the post doesn’t show it. And I anonymized the ddns address in this post)

127.0.0.1 localhost
192.168.1.107 XXXXXXXXX.me

/etc/config/resolver

config resolver 'common'
	list interface '0.0.0.0'
	list interface '::0'
	option port '53'
	option keyfile '/etc/root.keys'
	option verbose '0'
	option msg_buffer_size '4096'
	option msg_cache_size '20M'
	option net_ipv6 '1'
	option net_ipv4 '1'
	option prefered_resolver 'kresd'
	option prefetch 'yes'
	option static_domains '1'
	option dynamic_domains '0'
	option forward_upstream '0'
	option ignore_root_key '0'

config resolver 'kresd'
	option rundir '/tmp/kresd'
	option log_stderr '1'
	option log_stdout '1'
	option forks '1'
	option keep_cache '1'
	list hostname_config '/etc/hosts'

config resolver 'unbound'
	option outgoing_range '60'
	option outgoing_num_tcp '1'
	option incoming_num_tcp '1'
	option msg_cache_slabs '1'
	option num_queries_per_thread '30'
	option rrset_cache_size '100K'
	option rrset_cache_slabs '1'
	option infra_cache_slabs '1'
	option infra_cache_numhosts '200'
	list access_control '0.0.0.0/0 allow'
	list access_control '::0/0 allow'
	option pidfile '/var/run/unbound.pid'
	option root_hints '/etc/unbound/named.cache'
	option target_fetch_policy '2 1 0 0 0'
	option harden_short_bufsize 'yes'
	option harden_large_queries 'yes'
	option qname_minimisation 'yes'
	option harden_below_nxdomain 'yes'
	option key_cache_size '100k'
	option key_cache_slabs '1'
	option neg_cache_size '10k'
	option prefetch_key 'yes'

config resolver 'unbound_remote_control'
	option control_enable 'yes'
	option control_use_cert 'no'
	list control_interface '127.0.0.1'

I suspect the usual VPN setup gives you DNS through VPN and not DNS provided by local network (local Omnia).

But if that is the case I, why can‘t I access the dyn dns address from inside the LAN? (but I can access it over external access from outside).

The dyn DNS correctly is linked to my WAN IP (not the VPN tunnel IP)

AFAIK you can attack this either on IP level or on DNS level. I wouldn’t mix those two. For the DNS way I wrote what I’d expect to be your stumbling point (that your override for the name doesn’t work). I know the IP forwarding stuff too little to be of much help. Well, I don’t know VPNs well either; I’m sorry Around this I mainly know DNS itself.

There’s only one answer to that as far as I know and it not trivial in part because “from inside the LAN” is nto a completely specified scenario. But if you consider how this works you will see the answer is at some level not complicated, yet may need some diagnostic effort on your part.

Any device you use, in any context has a configured namesever (DNS) that it will use to resolve names. It’s usually provided by the ISP but on my Omnia for example I have kresd acting as the nameserver to all LAN devices. Still, the idea is simple, the DNS that your device is using either has your DDNS name known to it, or not.

So the first question is, what DNS are you using?

From the WAN, you probably have no say in the matter and are using whatever DNS was provided by either the LAN or WAP you’re connected to when you have that experience. That it works though is a very good sign, suggesting that your DDNS updates are working that the IP updates have propogated and reached nameservers across the world … that is the suggestion anyhow.

So, from you LAN, easy enough to test, just take your device and configure its DNS manually to point to sa 8.8.8.8 the open google DNSs or 1.1.1.1 or 208.67.222.222 … quite a few options of globally available nameservers. Try configuring a LAN device to use that and see if it resolves your DDNS name.

On basis of the first observation (that you have access from the WAN) my money says, yes, you’ll have joy. And frankly if that’s you’re only goal, just run with it and leave that DNS configured.

If like many of us, you actually like other features of your default DNS, you may want to diagnose further. Namely on you LAN device, find out what DNS it’s using. Each device will have it’s own way of revealing that, so easiest just to search on-line “How to work out what DNS I’m using on … device?” and you’ll have an answer.

If you’re anything like me, it might just be 192.168.0.1 which is a fairly ordinary place for the gateway, or the Omnia to find itself on your LAN, but again there is no universal answer, depends on your LAN configuration.

Either way, once you work out what that DNS is you can ask why it’s not resolving the name, if you know it’s kresd, there are some diagnostics you can do, and folk here can help you with that if it comes to it (I may be able to as I’ve had to diagnose a few kresd issues in past).

Of course if you’re on a VPN, you may find that your LAN device is using another DNS. From its IP you can find who owns it and runs it, just use an on-line tool for the job (plenty about). And you may find it’s the nameserver your VPN operates. In which case, time to contact them and ask them why their nameserver is not resolving your DDNS name.

Could be something as simple and banal as, that they choose to block DDNS names in general or those with your DDNS name pattern … Service providers have a long history fo trying to clamp down on spam and phishing sites by various means including blacklisting of domains and even TLDs etc.