I recently got a new router at the behest of by ISP, and am now having difficulty connecting to the nextcloud web interface via my DNS name on my desktop (connecting via IP works fine).
At first I thought it was an NAT hairpinning thing, but all my other devices (laptop and phone) are connecting fine, even on the same network, and indeed my desktop is connecting perfectly when on Wi-Fi and NOT ethernet.
Does anyone have an idea what this could be? Any help would be appreciated, thanks
If you installed fail2ban with the specific nextcloud rules, you should check that. I already had this issue.
Thanks for the reply. I haven’t installed fail2ban, actually I don’t even think it’s included in Truenas Core. Basically for my setup I have the Nextcloud jail running with Nginx proxy manager on an ubuntu VM for the reverse proxy
A question concerning your NC config:
Do you have the following entries
1)
'trusted_domains' =>
array (
0 => 'x.x.x.x',
1 => 'your.nextcloud.domainname',
),
where x.x.x.x is the local IPv4 Adress of your NC Server (not reverse proxy IP!!)
2)
'trusted_proxies' =>
array (
0 => 'y.y.y.y',
),
where y.y.y.y is the local IPv4 adress of your nginx reverse proxy
If one of the two is missing in your config - please append it and reboot → retry
Sorry, missed this reply! Yes, I’ve triple checked all the config files, domains and IPs.
It’s also worth noting that accessing via ethernet works fine when I enable my VPN.
So to recap, I can access it-
via DNS on my laptop and phone,
via DNS on desktop with Wi-Fi,
via DNS on desktop on ethernet (with VPN),
via IP address on desktop
I cannot access it-
via DNS on desktop ethernet with no VPN.
So it seems to be a problem not with my nextcloud server, but either with my router or my windows desktop. I’ve tried auto IP, static IP, checked all my config files, checked and flushed my DNS cache, tried on various browsers, successfully pinged and probed my server with a variety of tools, tried multiple ethernet ports, checked my DNS settings, ran a route trace on both the DNS and the IP, etc.
I’m aware of “security” feature implemented in some router e.g. popular German Fritzbox which prevents DNS requests to ip addresses inside of local network. search for “rebind protection”.
I understand you tried a lot and given the fact
there is no reason to have with IP but no access with DNS. I assume you double and triple checked DNS resolves to the right IP. Then continue form here and check your browser console (f12) if it connects to the right IP - today browser often prefer IPv6 which could result in strange issues - maybe you find issues… On the other side check server logs (application, reverse proxy) to verify the request arrives at the application and track further if there are errors in the log.
The browser console doesn’t seem to display anything, not even an IP. In Firefox I get a note saying “This error page has no error code in its security info”
I’ve looked for rebind protection on my router but no luck yet. I’ll ask support.
I also checked the settings of my network switch, which is a Netgear XS708Ev2. There’s one called “loop protection” which seemed promising, but enabling it didn’t seem to make a difference. I didn’t think of it being a switch problem, but since it seems to be related to ethernet it could very well be.
After more tests and configuration, I’m pretty confident that it’s a NAT loopback/hairpin routing issue in my router. I have a new Arris G34 and apparently it doesn’t support this feature, though I’m continuing to look into it.
Does anyone know a good workaround that doesn’t involve me getting a new router?
Thanks
configure internal clients to access you public DNS using local IP address (known as “split brain DNS” or “split horizon DNS”)
you can configure hosts file on MAC/PC… but there is no good alternative for mobile clients. You can install local DNS server like PiHole or Adguard Home to cover all internal clients…
This worked perfectly! Thanks for your reply!! Luckily I won’t need a mobile client because my phone and laptop seem to connect fine.
This topic was automatically closed after 11 days. New replies are no longer allowed.
