[SOLVED - hairpin NAT] Accessing self hosted website from home network. What's going on here?

So I’m hosting photoprism from my home network over https using caddy. My domain is pointed at my public IP address, ports are forwarded, and site is accessible from outside my network. All is well.

When I try to access this site, via my domain name, I either get shown the admin interface for my mikrotik router over http (I have since disabled the web interface completely) or get an ‘unable to connect’ error.

Ping times to my domain name are <1ms, likely a result of DNS caching. I suspect my router is the culprit. I’m sure this is a common problem and just some misconfiguration of my router. Any advice on where I should look?

1 Like

The way you describe your setup sounds correct. You usually point the DNS to the public IP and make a port forward in the router to the device hosting the webserver. When you reached your router login page accessing the DNS I would guess you were forwarded to the right place. My guess is that either the port forward is not correct (have you forwarded port 80 to port 80 on the webserver and port 443 to port 443 on the webserver? Maybe there is an option with your router that it wants to show it’s own admin interface on these ports like it did and you need some kind of overrride?

By the way, maybe check that your router is in fact configured and behaving like you intend to, this behavior that it shows the admin interface on the WAN port, and not on LAN only, is rather atypical for a home router. So maybe check that those things are configured correctly.

1 Like

In theory I’ve got firewall rules in place that only serve the admin interface over the LAN. That’s why I suspect that the router is somehow caching the dns entry and going “oh, this is for me from a LAN client” and serving the admin portal.

Does your router act as the local DNS server and does your computer use it as such?

1 Like

That’s not typically home router, you may need to go to ip/services and change www port to something else. I don’t remember the exact details, I’ve switched to PFSense some time ago.

2 Likes

That makes sense, I’ll give that a shot when I get home :+1:

No, I use 1.1.1.1. It does do DNS caching, though.

Mikrotik has some rather “interesting” defaults. I would throughly go through your ports, firewall rules, dns settings, and admin console settings and make sure that everything is doing what it is supposed to be doing. Last time I set one up it was a bit of a chore.

2 Likes

Changing the port of the admin portal didn’t change the behavior :man_shrugging:

Have you flushed your local dns cache as well? Also sounds like something else going on if you keep hitting that webGUI.

1 Like

are you testing from within the network? You should try your phone on 4g. Nat loopback can be an issue.

I’ve had the same issue with my edgerouter. In the end i solved it by changing the webadmin port, turning on hairpin nat. and in the router dns i’ve set the ip address of the webserver as the same domain as my website so it doesn’t have to go through the internet.

1 Like

I should clarify that ‘didn’t change the behavior’ just meant that I still couldn’t access the hosted page from inside my network. Accessing the web UI (when I turned it back on) did behave normally and it was no longer served as a repsonse to the domain name.

Access is just fine from outside my network.

I’ve been reading about hairpin NAT for the last few minutes, sounds like that is what I am missing.

1 Like

Yeah, sounds similar as I had with setting up a Plex server on my network…
Hairpin NAT settings fixed that for me, you could try that! Here’s the information you need to set it up. :slight_smile:

https://help.mikrotik.com/docs/display/ROS/NAT

3 Likes

The creation of the proper NAT rules (lan-to-lan masquerade and lan-to-lan dstnat) has solved the problem. And my understanding of basic networking improved that much more. Thanks all!

1 Like

TIL, thank you!

1 Like

Another thing you can do is set up domain overrides on your local DNS server to point your domain name to the local IP of the server rather than getting the public IP address from an external DNS server.

2 Likes