I have a Raspberry Pi 4 running Docker containers for Nextcloud, Nginx Proxy Manager (NPM), and Pi-hole. Everything is working fine externally with a DuckDNS domain and port forwarding (80/443 open on my TP-Link router). But for security reasons, I want to disable external access and keep Nextcloud available only on my local network, still using the same domain.
Here’s what I’ve done so far:
DuckDNS domain points to my external IP.
Pi-hole is running and set as the DNS server in my TP-Link router.
I added a Local DNS Record in Pi-hole to resolve the domain (mydomain.duckdns.org) to the Raspberry Pi’s local IP.
All containers are on the same default Docker network.
When I close the ports on the router, I can’t access Nextcloud anymore—even though nslookup shows the local IP correctly.
My goal is to use a single DuckDNS domain that:
Works internally when ports are closed (LAN access only)
Still works externally if I temporarily open ports (e.g., temporary sharing photos to other people)
Any ideas what I’m missing? Is this a reverse proxy or SSL issue? Do I need to change something in NPM?
From your description it should work and without logs it’s hard to know what is wrong. I could think of caching when your browser or OS keep connecting with the previous public IP for some time.. maybe they even ignore the local DNS (keyword DNS-over-HTTP).
If you want to understand what happens perform systematical troubleshooting
check DNS (you did already)
clear DNS cache (don’t forget you router’s DNS cache)
review browser console logs (F12) to see which IP it uses
review server and reverse proxy logs
In general I would not recommend to follow your approach. fiddling with ports on a regular base sounds complicated (and introduces issues with letsencrypt if the system is not accessible for certificate refresh). I would rather recommend you follow reasonable security recommendations How to maintain, check and improve the security of your Nextcloud installation and optionally use security tool like fail2ban or crowdsec and definitely don’t forget 101: backup what and why (not how) - this should be “secure enough” for most installations.
Hello,
I have the same setup as you, except I use traefik as reverse proxy and dnsmasq as a DNS server.
First you must check that you use the DNS challenge of let’s encrypt if you don’t ant to expose any ports. In my case I have choose to renew manually the certs with a script and give them to traefik. I made certs to *.my domain.duckdns.org and I declare each address form my services in my DNS config file. There’s generally some custom changes to make in the DNS config for avoiding loopback, etc. Finally maybe check your firewall settings.
Personally I have also struggled with my ISP router and his IPv6 management.