Can connect (telnet, dovecot etc) to my own server from an external network but not when I am on the same lan

0

I have a server (mail - postfix+dovecot, web - apache) on a kvm guest where the host is on a local network behind a normal router (zte or whatever the ISP provided). KVM guest has an IP on the same subnet as the host. (wicked+network bridge on host)

All works well if I try to access things while the client resides outside the LAN (like mobile on 4g link, or a completely different network).

Problem is that when I try to connect while the client is logged on the same network as the server, it just times out.

So far I have disabled all firewalls and tried it... no luck. All port forwarding on the router works well as everything is accessible from outside.

Any ideas? What can I try to see what actually goes wrong or where it gets stuck.

Dovecot calls don't even get logged on the server, nor any packets seem to reach the server while the client is on the local network.

Apache works though, I can see the website while being on the local network, even though from the same computer I can't telnet the server on port 80 or 443.

Boirebista

Posted 2018-12-11T14:55:41.523

Reputation: 1

https://wiki.mikrotik.com/wiki/Hairpin_NAT is one technical explanation of what probably goes wrong in your case. – user1686 – 2018-12-11T16:45:36.440

Answers

-1

What happens?

Your client is most likely trying to connect to the public IP of your ISP.

Most consumer modem/routers do not support loopback connections.

So what basically happens is that the request is sent to the modem, the modem sees an IP Address that is not in the DHCP scope of the router and thinks: Oh, this is for the internet. It sends out the request to the ISP that immediately sends it back.

The modem is sending out the traffic on that moment so the port is occupied and as such the connection times out.

On a loopback supported device, the modem is smart enough to understand the request was meant for itself and forwards the connection based on the port forwarding ruleset.

How to solve?

What you need to do is ask your client to not use the public ip address, but the local ip address instead.

Lets say your public ip address is: 123.45.67.89 and the port forwarding is set to redirect port 1234 to ip: 192.168.0.1, then instead of using 123.45.67.89, the client would need to connect to 192.168.0.1.

LPChip

Posted 2018-12-11T14:55:41.523

Reputation: 42 190

Indeed that works.. but that would mean on my mobile, I have to have 2 accounts setup for the same email account. First that calls the mail server as mail.example.com and the other account that calls the mail server as 192.168.0.83 or whatever the local ip is. Any smarter serverside workaround available? Maybe a local DNS or something? I don't know much about those but I'm just throwing it in here. – Boirebista – 2018-12-11T16:25:25.477

Well, yes, the necessary feature is called "loopback", but... Your description of "what actually happens" is way off the rails. IP routing isn't based on DHCP scopes; hosts and routers always recognize packets sent to their own IP address – that's not what "NAT loopback" is about; the port isn't "occupied" because the packet has already been sent before the ISP receives it; and the problem has nothing to do with it being occupied anyway – even if you assume a half-duplex link (unlike e.g. full-duplex Ethernet), the incoming packets will merely get buffered for a bit. – user1686 – 2018-12-11T16:38:50.797

@Boirebista: Yes, local DNS is the easiest way to implement LPChip's suggestion. Outside the network, mail.example.com points to the public address, but inside, your local DNS server overrides the reply with the internal address instead. Works regardless of router and doesn't have the issues that hairpin/loopback NAT would cause. – user1686 – 2018-12-11T16:49:04.293

@grawity Thanks. Guess I better start figuring out bind... had a few attempts at it but usually I managed to break everything with it. Thanks for pointing to the proper way. Upside is that it is good to learn something as well – Boirebista – 2018-12-11T17:12:05.443

@Boirebista: If your domain is already hosted from inside the LAN via Bind, use Bind's "views". If it's hosted externally and you only want to override some parts locally, easier to use Unbound. – user1686 – 2018-12-11T17:20:45.577

@grawity I have it setup on cloudflare (all the dns records there A,CNAME, PTR, MX, TXT for spf, dmarc, dkim etc...). The calls on my domain hosted on cloudflare are pointing to my server which is on a KVM guest. (IPs on cloudflare are updated through ddclient). I'm quite confused about setting up the records properly to something I already setup records on cloudflare. Basically I just need a kind of forwarder. The way I visualize it, I need the router from my ISP to point to my server DNS (bind, unbound whatver I manage to get going) which in turn points to cloudflare name servers. – Boirebista – 2018-12-11T18:37:18.863

Asked: 2018-12-11T14:55:41.523

Viewed: 60 times

Active: 2018-12-11T15:32:44.980