Foris and port 80/443 forwarding

Hi all,
I moved TO to be the main router and I’m facing issue with 80/443 traffic redirection to LXC container. I have the following firewall rule:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.13.130'
        option dest_port '80'
        option name 'HTTP to DMZ'

my wan interface has public IP address and I’m using DDNS - let’s say xyz.nopip.me. The domain correctly resolves to IP address. When I access the xyz.noip.me domain from outside then everything works fine.

However when I try to access the domain from within the local network then Foris loads instead. I tried to modify the /etc/lighttpd/lighttpd.conf to listen just on internal IP address through:
server.bind = "192.168.1.1"

It stops loading Foris however if I go to xyz.noip.me I’m asked to authenticate so I assume lighttpd (or any other process) is still listening on the port. When I go to 192.168.1.1 Foris loads properly.

What should I do that also the http/https traffic from internal computers would be properly routed to the server in dmz and Foris/Luci would listen on the private IP only?

Thanks.
Radek

The problem is you’re resolving your xyz.nopip.me name to your external IP address of your router. Now your internal PC is hitting that external IP but it’s coming from the LAN network. Your redirect rule you have there has option src 'wan' so it doesn’t activate.

You could try setting up another rule with source lan, destination external ip, port 80 and redirect it to your DMZ server. Though if your external IP address changes you’ll have to update the rule. Or the easier method would be to set up an internal DNS server and have xyz.nopip.me resolve to the address in your DMZ. There are probably a dozen other solutions too, these two just came to mind first.

thanks @scottjl - I thought about the DNS approach too. However I cannot redirect all ports to that server so that might be the last option to consider. And unfortunately the public IP can change (even when it usually stays the same) - but e.g. just when I “promoted” my TO the IP address changed …

The redirect rule from lan zone works fine so I think about a script which would be scheduled through cron and check the ip address - if it changed the script would update the firewall rule. I already understand the firewall uci syntax however I’m really new to iptables syntax so will have to learn how to add/remove or modify the rule if the ip address changes. Any hint would be appreciated.

Thanks.

I don’t have much time to learn the syntax and all the rules of iptables right now - so I’m thinking about replacing the IP address in /etc/config/firewall file. Could you pls check the below script and let me know if you can see any possible issues?

#!/bin/bash
SAVED_IP_FILE=/etc/saved_ip
FW_FILE=/etc/config/firewall
MY_IP=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}')
SAVED_IP=$(<$SAVED_IP_FILE)

if [ $MY_IP ]; then
    if [ $MY_IP != $SAVED_IP ]; then
        OLD_TEXT="src_dip '$SAVED_IP'"
        NEW_TEXT="src_dip '$MY_IP'"
        LOG_MSG="Changing IP for firewall rules from $SAVED_IP to $MY_IP"
        logger $LOG_MSG
        sed -i "s/$OLD_TEXT/$NEW_TEXT/g" $FW_FILE
        /etc/init.d/firewall restart
        echo $MY_IP>$SAVED_IP_FILE
    fi
fi