Let’s say I’ve got Nextcloud selfhosted in my basement and that it is accessible on the world wide web at nextcloud.kickassdomain.org. When someone puts in that URL, we’ll have all the fun DNS-lookups trying to find the IP address to get them to my router, and my router forwards ports 80 and 443 to a machine running a reverse-proxy, and the reverse-proxy then sends it to a machine-and-port that Nextcloud is listening to.
When I do this on my phone next to that computer hosting Nextcloud, (I believe) what happens is that the data leaves and re-enters my home network as my router sends the data to the IP address it is looking for (which is itself). This would mean that instead of getting a couple hundred Mbps from the local wifi (or being etherneted in and getting even more), I’m limited by my ISPs upload speed of ~25Mbps.
Maybe that just isn’t the case and I’ve got nothing to worry about…
What I want my network to do is to know that nothing has to leave the network at all and just use the local speeds. What I tried before was using a DNS re-write in Adguard such that anything going to my kickassdomain would instead go to the local IP address (so like nextcloud.kickassdomain.org -> 192.168.0.99). This seemed to cause a lot of problems when I then left the house because, I assume, the DNS info was cached and my phone would out in the world and try to connect to that IP and fail.
My final goal here is that I want to upload/download from my selfhosted applications (like nextcloud) without being limited by the relatively slow upload speed of the ISP.
Maybe the computer already figured all this out, though - it does seem like my router should know it’s own IP and not bother sending things out into the world just for them to come back.
If it matters, my IP address is pretty stable, but more importantly it is unique to me (like every house in the neighborhood has their own IP).
Updates from testing: So everything does indeed just work without me needing to change how I already had it set up, presumably because the router did the hairpin NAT action folks are talking about here.
I tested it by installed iperf3 on the server then I used my phone (using the PingTools Network Utilities android app, only found on google play and not on f-droid) to connect. Here are the results:
- Phone to local IP address (192.168.0.xxx) - ~700 Mbits/second
- Phone to speedtest.mykickassdomain.org while still on the wifi - ~700 Mbits/second
- Phone on cellular to speedtest.mykickassdomain.org - ~4 Mbits/second
If you don’t need public access you can create an A-name record pointing to your private IP. This way you will still be able to use SSL certificates but still route your traffic using the internal network.
Ooo, interesting.
I am going for public access here, so it wont work. But i think this is how some routers are set up. Like i think asusrouter.net is set to 192.168.0.1, so anyone with the router can go to the same url / domain and itll send them each to their own router. Found that out the other week and thought it very clever.
Yeah, I’ve got something like this. My WiFi router has aliased over my public domain name. So, it, having the authority in my network, tells people to go directly to the local address.
If I leave, a refresh grabs the IP from a public/corporate DNS server, pointing to our external IP.
It works nicely, even though home assistant now has a ‘private’ and ‘public’ domain name that I could be using instead. Still, one name. Easier on the brain.
I’m behind CGNAT, so I have a local DNS server that resolves to the internal IP, and regular DNS resolves to my VPS, which tunnels into my home network through Wireguard.
If you’re not behind CGNAT, you’ll just hit your router after DNS resolution and you’re golden.
What you are describing is called hair pinning. Basically the traffic goes all the way out to whatever device has that public IP. It then is routed back. This wouldn’t be your ISP speed since you are still doing stuff local.
What you probably want is a local DNS server that has a record that points to a local IP. With that you don’tneed to publicly expose anything.
Side note: you don’t route DNS records. Routing really only applies to IP addresses.
Basically the traffic goes all the way out to whatever device has that public IP. It then is routed back.
This would be a problem if OP has a provider who NATed him (which is quite common where he is from), right?
The Nat is on the local device at location so no.
Not necessairly. In Germany CGNAT is quite common. So if one of OPs devices routes via IPv4, the traffic will be routed to the carriers public facing router. I would not consider that local as it physically leaves the cables you control.
It would be a little weird to have a CGNAT for a local internet connection. Then again, I’m not in Germany.
Whrere are you from?
Because in Germany it is really common.
I have been looking for a new contract for a while now, because my dsl is shit (thanks to my landlord). But all new cable contracts I can find are NATed (ecxept buisness contracts).
When you say NATed you are talking about symmetric NAT right? Not just a simple router doing port address translation?
If I understand correctly, it’s nat on the local home router AND nat on the ISP’s router as well. It’s a double nat.
They’re fairly common in the US with smaller or local fiber networks, but most ISPs offer a static IP for an additional $10/month to bypass the CGNAT
Chances are you couldn’t use CGNAT for self-hosting, so you’d be out to an actual IP address that’s forwarding the traffic via something like Cloudflared, but your point stands.
Fair, it is a lot harder, but possible (you could vpn your traffick through a vps). Actually one of the reasons I have not changed my terribly slow contract yet.
This is the way.
I do this. PFsense DNS resolver, and have loopback enabled.
DNS for all the domains points at a reverse proxy (Caddy) that handles valid HTTPS termination. So all my services have valid HTTPS certs, and devices on my network can access them normally.
I do the same with adguard home, it works fine and like you say valid https for all services.
Others have already answered but this might help understand.
On cloudflare DNS, I set my domain to point to external IP address my ISP gives me for my router. Ie example.com points to 107.474.274.12
Within my network, my internal DNS (pi hole) is set to point to the internal IP address of my server. Ie example.com points to 192.168.1.23
Note that in the first example, the router has port forwarding so that all https traffic (port 443) is forwarded to the internal IP of my server, 192.168.1.23. I’m both example, the traffic ends up in the same place but the route it takes depends on if the traffic starts inside my network (example 2) or outside of the internet (example 1).
So i had done this (with Adguard rather than pihole) and i think i was getting caching issues. Whether or not i was, though, i removed it and it looks like my router is handling it all just fine without the rewrite on the local DNS server.
Some folks mentioned “hairpin NAT” - i was reading the wiki on NAT last night but didnt get to hairpin, but that appears to be what is happening.
The conclusion is - my setup had been doing what i want the whole time without any DNS fiddling. I updated the original post with the speedtests.
Yes, hairpin can make it work but some routers don’t seem to do it well.
The other issue is that on wireguard by DNS is set to pi hole and without doing this my internal stuff wasn’t working without doing this
I do this too, with Pi Hole as well.
Set up an internal dns server that will resolve your specific host name to an internal ip and forward everything else.
If you just want a specific site, you can use bind and response policy zones. The advantage of this is that you can now configure your dns server to take advantage of block lists on the internet and block malware/ads/tracking domains.
AKA, split DNS. Doing it this way is a bit cleaner than hairpin NAT as mentioned in other comments, but both options work fine in a home network.
i think this is what I was doing with Adguard and using the re-write rules, but then the client (my phone, for example) would cache the IP address and it would fail when I was out of the house/network.
Or am I misunderstanding what you are saying here?
Hmm, caching has never caused problems with split DNS for me, but it’s really hard to debug what was going on with your setup. Split DNS is really common and is the preferred way to solve this, so most browsers have logic to handle it. You might have had something misconfigured, but unfortunately it’s really hard to diagnose.
I guess I should say that I think there were caching issues, but the problem was coming from an iphone and the Bitwarden app (connecting to the self-hosted vaultwarden).
Impossible to say, could be the app is doing something funky, could be iOS, could be lotta things.
I will note, my preferred solution is to do none of the above, and I only do split DNS for one particular service. I much prefer just using an always on Wireguard VPN that is set to only route traffic to my internal subnets and to use my internal DNS server. Then I just use internal names. Wireguard basically runs at line rate on my setup, so half the time I don’t even turn it off at home. This also gives you the option to use DNS ad blocking (eg adguard) on the go.
If it is caching you can always set a ttl to a lower value like 5 seconds. And systems should be clearing the dns cache on a new ifup.
my router should know it’s own IP and not bother sending things out into the world just for them to come back
This is correct: https://en.wikipedia.org/wiki/Network_address_translation#NAT_hairpinning
If it’s not working, check the configuration on your router. (Your ISP should also be doing this at their edge, but maybe not.)
Also, you should really not be exposing services to the Internet that you don’t have to. Put it all behind a VPN.
ok, well that’s easy to set up if that is how it just works! i wonder if maybe i should (at least temporarily) self-host some sort of speedtest app on the server and check the speed from my phone while i’m on wifi using the IP, wifi using domain name, and off wifi using domain…
Use iperf3 if you can.
You could also just use dig, ping, and traceroute to check the path.
I use Wireguard, so when I am outside, connected to my VPN, I use the internal DNS (pihole) for accessing internal network services using their fqdn.
This is the way.
Seems you’ve got the speed part of things figured out.
One thing I’ll add is it’s somewhat common to host a DNS server within your LAN to resolve names for local only services. If you do choose to do this; I’ve found allowing names for services you expose to the internet to resolve to your public IP and then just use hairpinning when at home works smoother. Some apps do a really poor job grabbing and using the different IPs (wan vs lan) when you switch between networks; but they’ll work better if they always just use the public ip and allow the network to handle the different routing.
Does your provider give you yoir own (not necessairly fixed, jus no one else having it simultaniously) IPv4-Address? Some keywords to look out for wrt that are NAT, or DS(dual stack)-lite.
What I do to keep DNS consistent inside and out is use Tailscale on all my clients. I host a DNS server hosted on my tailnet that is set up as split DNS for my “kickassdomain.org”.
It’s easy to do this via cloudflare and NPM by using a wildcard a name pointed towards your local IP.
