I need to let my untrusted VLANs connect to my web server. I added a rule to allow them access on 80 and 443, but that only works if they use the internal IP address.
When DNS hands the VLAN client the public IP, it does not trigger port forwarding to 192.168.86.105. I thought the firewall was blocking the request, thinking it was trying to hit the mgmt interface on 192.168.86.1, but other clients on 192.168.0/24 are able to get there via DNS.
I struggle with firewall rules. Is there a name for this I can google?
Can’t you just create a virtual nic on your webserver and assign it to the public vlan?
For example at home I have separate 3 vlans. One for main traffic vlan 1, vlan 10 for IOT and vlan 30 for guest.
So if I need to give some device an access to IOT as well as the main network I create two network cards(All of my services are running in a virtual environment) . I assign first network card to vlan 1 and second to vlan 10. On a smart switch I set a physical port that goes to VM hypervizer as untagged for (port uplink, port hypervizer) and tagged vlan 10 for (port uplink, port hypervizer).
You can do similar on just baremetal linux by creating a second interface that will use your first one and just assign that virtual nic with vlan 10.
I started to do that, but I don’t want to allow access to other containers on that server. Plus, the issue is with DNS and port forwarding. The VLAN networks can hit the webserver by internal IP, just not the public.
Maybe a dumb question but did you allow the routing between interfaces? Are you doing port forwarding on the router or the web server itself?
All of the VLANs and port forwarding are managed on the Ubiquiti firewall. I can hit the webserver from any of the other VLANs via the private IP. It only fails through the public IP.
No ports are forwarded to the VLANs, so I didn’t include them in the port forwarding setup. But it looks like they have to be included if they want to use the hairpin NAT. Once I added them, everything worked.