Hello,
Been setting up my first EdgeRouter recently, most of the stuff works the way we anticipated, although there’s a small glitch (as usual). Got here few servers published using NAT, all works fine from outside, but noticed that when trying to use the same external FQDN from any on the internal subnets connected to by router where content is either HTTP or HTTPS I’m simply being redirected to EdgeRouter’s WebGUI. Been struggling with this for a while and it’s quite obvious I’ve hit the brick wall. Any help is greatly appreciated. Cheers.
Below is sanitized section of my current config firewall:
firewall {
all-ping enable
broadcast-ping disable
group {
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
:
}
}
rule 30 {
action accept
description webserver
destination {
address 192.168.19.50
port 80
}
log disable
protocol tcp
source {
group {
}
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
: }
log disable
protocol tcp
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 1.1.1.13/28
address 1.1.1.12/28
address 1.1.1.11/28
address 1.1.1.10/28
address 1.1.1.9/28
address 1.1.1.8/28
address 1.1.1.7/28
address 1.1.1.6/28
address 1.1.1.5/28
description Internet
duplex auto
:
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.17.1/24
description DMZ
duplex auto
speed auto
vif 20 {
address 192.168.20.1/24
description "Guest VLAN"
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
disable
duplex auto
speed auto
}
ethernet eth3 {
disable
duplex auto
speed auto
}
ethernet eth4 {
disable
duplex auto
speed auto
}
ethernet eth5 {
address 192.168.19.1/24
description NET_DEV
duplex auto
speed auto
}
ethernet eth6 {
disable
duplex auto
speed auto
}
ethernet eth7 {
description eth7
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth5
:
rule 1 {
description ""
forward-to {
address 192.168.19.50
port 80
}
original-port 80
protocol tcp_udp
}
rule 2 {
description ""
forward-to {
address 192.168.19.50
port 443
}
original-port 443
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DMZ1 {
authoritative disable
subnet 192.168.17.0/24 {
default-router 192.168.17.1
dns-server 8.8.8.8
dns-server 8.8.4.4
domain-name
lease 86400
start 192.168.17.60 {
stop 192.168.17.119
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.243
}
}
}
shared-network-name NET_DEV {
authoritative disable
subnet 192.168.19.0/24 {
default-router 192.168.19.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.19.60 {
stop 192.168.19.119
}
:
}
}
}
dns {
forwarding {
cache-size 300
listen-on eth1
listen-on eth5
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description webserver
destination {
address 1.1.1.12
port 80
}
inbound-interface eth0
inside-address {
address 192.168.19.50
port 80
}
log enable
protocol tcp_udp
source {
}
type destination
}
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface eth0
outside-address {
address 1.1.1.13
}
protocol all
type source
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 1.1.1.14
host-name RTR001
login {
user admin {
authentication {
encrypted-password
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
:
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
host-name webserver.externaldomain.com {
inet 1.1.1.9
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/
traffic-analysis {
dpi enable
export enable
}
}