Bext Practice Nextcloud WAN and LAN without NAT Reflection

[hartmann-daniel]

Hello everyone.

I'm currently struggling with Nextcloud and a reverse proxy. I hope someone can give me a few tips.

Previous configuration that needs to be changed.

Firewall / DHCP / DNS: OPNSense on own hardware
NAT port forwarding from port 443 set to IP of the MacVLAN interface of the NPM (NginxProxyManager).
NAT reflection activated
DNS entry nextclouddomain.de on the Internet set to WAN interface IP

Docker host with own hardware
Container:
NginxProxyManager as container
Networks
nextcloud-aio
Home network 192.168.0.x via MacVLAN
Configuration according to AIO instructions
Nextcloud AIO as container
Networks
nextcloud-aio => I create it myself

Everything actually works from the LAN as well as from the Internet. But what bothers me:
All requests to Nextcloud are processed under the IP of the firewall (192.168.0.1). If anyone enters an incorrect password multiple times, all users are subject to a delay.
Fail2Ban blocks everything when entering because 192.168.0.1 is blocked.
All LAN traffic goes through the firewall instead of through the NPM directly to the Nextcloud.

I have already tried Split DNS:
In the router, I set nextclouddomain.de to the local IP of the NPM for the LAN network. I was then able to remove NAT reflection.
Problem:
Nextcloud tries to reach itself for various checks and services at nextclouddomain.de, which fails because Nextcloud and NPM are on the same host. This is probably a "Docker feature" that cannot be addressed via the same interface.
What is still not resolved here:
Requests from the Internet are still processed under the same IP.

What is your solution?

Kind regards
Daniel

[szaimen]

I have already tried Split DNS

Split dns is the correct way. See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-can-i-access-nextcloud-locally

[hartmann-daniel]

Hi szaimen,

Unfortunately I can't solve the problem with the instructions.

The NginxProxyManager runs on the same host as the Nextcloud AIO. The NPM has mapped port 443:443, so that the proxy can be reached via host address (192.168.0.x) and port 443. The proxy itself communicates via an internal network with http://nextcloud-aio-apache:11000 .
The DNS server running locally resolves my domain name to the host address. The proxy can also be reached from the Internet via NAT.
The Nextcloud can now be reached from the Internet and from the network.
The problem now is that individual services. At the moment it is OnlyOffice, but something was wrong a few weeks ago still have to reach the proxy from the container. I think I had the same problem when setting up Nextcloud AIO, and I switched back to NAT reflection there.
I can ping my domain from the nextcloud-aio-nextcloud container. The IP of the host is also resolved.
A "curl https://meinedomain.de" however causes a timeout.
To make a long story short, the basic problem is the following:
The containers installed by Nextcloud AIO cannot reach the proxy with split DNS because it is on the same network interface.
Host.docker.internal:host-gateway could possibly help, but then the DNS entry in the Nextcloud containers would have to be rewritten to the IP of host.docker.internal.

Am I the only one with this problem? Or is there an error in my configuration after several hours of searching?

Kind regards
Daniel

[szaimen]

Hi, can you set the dns server via daemon.json? See https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html

[hartmann-daniel]

Hello.

I'm not sure how this is supposed to help.

The DNS is not the problem. The initially configured domain (mydomain.de) is resolved correctly by the container. If I send a ping to mydomain.de in the nextcloud-aio-nextcloud container, the PING goes through to the DockerHost and is answered. ICMP to the host IP.

However, if I call "curl https://mydomain.de/onlyoffice" using CURL, for example, the request is not answered. But another server in the network does.

I think the problem here is that the request from the container goes out of the host via the network interface and back in (443) towards the container. And that is what Docker or the network interface prohibits.

Can someone try to recreate this? It is important here that the domain name is resolved to the host in the local network and not via the router, possibly via NAT reflection, back over the router. So that the Nextcloud container wants to establish a direct connection with the host:443.

Kind regards
Daniel

[hartmann-daniel]

Hello.
I just noticed that the security and setup warnings in the administration interface aren't working either. Checking for system and security issues takes a long time and then throws up various communication errors. Probably because no connection to itself can be established here either.

Kind regards
Daniel

[szaimen]

Split dns is the correct way. See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-can-i-access-nextcloud-locally

Hi, it looks like you did not follow the instructions that I've sent here.

[hartmann-daniel]

Hello szaimen,

I found the error. I was looking in the wrong place. The proxy and Nextcloud settings were all correct. The problem was with the host. I'm using Photon here because the Docker host runs on a VMware ESXI. Photon seems to have very strict firewall rules by default.

After looking at "iptables -L -v -n" I saw that the INPUT chain drops everything and doesn't allow any connections to the host interface from the bridge interfaces that Nextcloud creates.

Using "ip link show" I first selected the bridge interface that belongs to the "nextcloud-aio" network created by Docker. In my case it's called "br-b7cfdd6aec7f" where the character strings are the first ones of the Docker network ID. Unfortunately that can change, but I'll come back to that in a moment. Anyway, I then created a rule using "iptables -A INPUT -i br-b7cfdd6aec7f -j ACCEPT" and the containers from the "nextcloud-aio" network can now reach the host and thus themselves via the proxy. This rule should of course be permanently stored in iptables. The one I just created disappeared after a reboot. Google tells you how to do this.

My wish now would be for the nextcloud-aio master container to set a fixed name for the bridge when creating the network so that it always stays the same. My suggestion is "nc-bridge". This probably needs to be added to the file "php/src/Docker/DockerActionManager.php" in line 879ff. But I'm not sure about that, so I'm not creating a pull request for now. Maybe someone else has a better idea.
driver_opts:
com.docker.network.bridge.name: nc-bridge

I hope that if anyone else is faced with the same situation, they will find this post and save themselves a lot of searching.

Thank you for your help so far.

Kind regards

Daniel