I have created a topology of my network to clarify what I want to have...
I have got two zones defined in my RX11 WAN and LAN. WAN has got public static IP. LAN defines a zone that is connected to an OPNSense firewall as second firewall. In the SLAN zone defined behind my OPNSense, a webserver and a client exist.
If I enter the domain name for the webserver (example.com) it is resolved to the public static IP 184.x.x.x.
I expected that hairpinning (as defined by the red error) works if I call example.com fromt my client 192.168.2.15.
However, it doesn't. I always get the Forbidden-Rejected request from RFC1918 IP to public server address. Interesstingly the SSL certificate is not the certificate from my webserver but from the RX11 server.
I played with
- Network -->DNS-->Rebind protection
- System-->Administration-->Access Control-->WebUI-->Ignore private IPs on public interfaces
The first parameter does not seem to change anything. If I disable the second one, I get the RX11 Web GUI on example.com !!! This must be the RX11 Web GUI listening on 192.168.1.1, i.e. the LAN interface (not the WAN interface because I disabled "Enable remote HTTPS access")!!!
For me the situation is as following:
If I call example.com, the public static IP address is correctly resolved. The client sends a packet through the OPNSense firewall to the RX11 router (SLAN-->LAN-->WAN). For what reason ever, the public static IP 184.x.x.x is not port forwarded to the WebServer 192.168.2.200
Of course, I have got a port forwarding rule to forward incoming traffic from ISP over WAN to WebServer. This works perfectly.
Thanks for help.