Trouble with 1:1 NAT (Roundcube trying to access Nextcloud via public IP)

I’m setting up a brand new 0.44 installation on a server behind 1:1 NAT, and I’m hoping for a little help.

To go into a little more detail, I have a connection with several static IPs, all of which are assigned to servers behind my router (running pfSense) via 1:1 NAT. The net effect of this is that connections from my Box to its own public IP will hit the router. I do have NAT reflection turned on, but unfortunately this only works for hosts other than the target of the NAT redirection. Anything other than my Box can access it via its public IP, but the Box itself cannot. I’m not sure it’s actually possible to configure pfSense to reflect packets back to the original host in this sort of setup.

This is mostly fine, but I’m running into a couple problems with 0.44.

First is just verification. MIAB reports that services running on my Box are not publicly accessible, because it tries to connect to its own public IP and fails. This is only cosmetic.

The bigger issue is that Roundcube is apparently trying to connect to my Box via its own public hostname, and since MIAB uses itself as a DNS server, that resolves to its public IP and does not work. After putting fastcgi_read_timeout 600; in /etc/nginx/conf.d/timeout.conf to get around the initial 504 timeout, I’m seeing the following in /var/log/roundcubemail/errors.log:

[20-Feb-2020 18:58:07 America/Los_Angeles] Failed to connect to mail.[redacted] port 443: Connection timed out
[20-Feb-2020 18:58:07 America/Los_Angeles] PHP Fatal error:  Uncaught Httpful\Exception\ConnectionErrorException: Unable to connect to "https://mail.[redacted]:443/cloud/remote.php/carddav/addressbooks/[redacted]@[redacted]/contacts": 7 Failed to connect to mail.[redacted] port 443: Connection timed out in /usr/local/lib/roundcubemail/plugins/carddav/vendor/nategood/httpful/src/Httpful/Request.php:1028
Stack trace:
#0 /usr/local/lib/roundcubemail/plugins/carddav/vendor/nategood/httpful/src/Httpful/Request.php(204): Httpful\Request->buildResponse(false)
#1 /usr/local/lib/roundcubemail/plugins/carddav/carddav_common.php(185): Httpful\Request->send()
#2 /usr/local/lib/roundcubemail/plugins/carddav/carddav_discovery.php(123): carddav_common->cdfopen('https://mail.un...', Array, Array)
#3 /usr/local/lib/roundcubemail/plugins/carddav/carddav_discovery.php(93): carddav_discovery->retrieve_addressbooks('/cloud/remote.p...', Array)
#4 /usr/local/lib/roundcubemail/plugins/carddav/carddav.php(239): carddav_discovery->find_addressbooks('https://mail.un...', '%u', '{BASE64}JXA=')
#5 in /usr/local/lib/roundcubemail/plugins/carddav/vendor/nategood/httpful/src/Httpful/Request.php on line 1028

My quick and ugly workaround was to just add mail.[redacted] to /etc/hosts, which seems to have worked. I’m assuming this isn’t a file MIAB likes to mess with. However, unless there’s a good reason for this behavior, it seems like Roundcube should really be sending any connections intended for local services to localhost, not the public hostname. Is there a reason for the current configuration?

It would also be great to find a solution to the status checks and/or just get 1:1 reflection working to bounce connections from my Box off my router and back to the Box, but I’m not actually sure the former is possible (short of just adding a switch to quiet the errors) and the latter still doesn’t seem like the right solution. Roundcube certainly shouldn’t be bouncing connections off my router in order to connect to a local contacts service.

I also looked into configuring my Box not to use itself as a nameserver, but this seems more complicated since the MIAB configuration script disables systemd-resolved and overwrites /etc/resolv.conf.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.