LAN redirects to gateway

My traffic deployment is working perfectly when coming from outside of the network but when using global URLs inside of the LAN I always get redirected to the gateway. I am not sure I understand why. Any hints how to troubleshoot this particular problem?

Hi @OJFL,
Thanks for your interest in Traefik.

I don't really understand your objectives. Could you explain me a bit more, what do you mean
by "global URLs inside the LAN"?

Thanks,
Maxence

Yes, I may have not been clear enough. I have a few physical servers and virtual servers running inside of the house for different tasks, media servers, file servers, home automation, etc. Each of those have their own hostnames inside of the home and can be addressed in the LAN via their hostname. Externally, I have set-up traffic to redirect incoming traffic to specific ports and URL (hypothetical examples: media.mydomain.whatever, files.mydomain.whatever, etc.) to those specific servers and ports. It all works wonderfully when connecting through our gateway forwarding the ports to traefik doing its translations. However, when I try to access those same URLs from inside of the LAN, for some reason the traffic ends up redirected to the gateway, and not the specific servers. It is definitely either a configuration issue in trafefik or the gateway and I wanted some help to troubleshoot and find where the configuration issue is and fix it cleanly. Thank you for the quick response, @moutoum . By the way, this product is awesome.

Thanks a lot for the clarification. Could you share me your configuration?

Thanks a lot again for the compliment, I will share it with the team :slight_smile:

Maxence

Sure can, Maxence. Do you want me to post it here? I have the general Traefik configuration file and the dynamic configuration. Do you want both?

Yes, please. So I'll try to check if I see any error, and try to reproduce. You can hide sensitive data.

Thanks,
Maxence

Ok. Here is traefik.toml:

################################################################

Configuration sample for Traefik v2.

For Traefik v1: traefik/traefik.sample.toml at v1.7 · traefik/traefik · GitHub

################################################################

################################################################

Global configuration

################################################################
[global]
checkNewVersion = true
sendAnonymousUsage = false

Static configuration

[serversTransport]
insecureSkipVerify = true

################################################################

Entrypoints configuration

################################################################

Entrypoints definition

Optional

Default:

[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
insecure = true

[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.forwardedHeaders]
insecure = true

[entryPoints.matrix]
address = ":8008"
[entryPoints.matrix.forwardedHeaders]
insecure = true

[entryPoints.matrixfed]
address = ":8448"
[entryPoints.matrixfed.forwardedHeaders]
insecure = true

################################################################

Docker configuration backend

################################################################

Enable Docker configuration backend

[providers.docker]

Docker server endpoint. Can be a tcp or a unix socket endpoint.

Required

Default: "unix:///var/run/docker.sock"

endpoint = "tcp://10.10.10.10:2375"

endpoint = "unix:///var/run/docker.sock"

Default host rule.

Optional

Default: "Host({{ normalize .Name }})"

defaultRule = "Host({{ normalize .Name }}.docker.localhost)"

defaultRule = "Host({{ normalize .Name }}.docker.localhost)"

Expose containers by default in traefik

Optional

Default: true

exposedByDefault = false

exposedByDefault = false

################################################################

Dynamic configuration file

################################################################
[providers.file]

directory = "/rules"
watch = true

[pilot]
token = "token"

################################################################

Let's Encrypt challenge configuration

################################################################
[certificatesResolvers]
[certificatesResolvers.ionosresolver]
[certificatesResolvers.ionosresolver.acme]
email = "email address"
storage = "/certs/acme.json"
[certificatesResolvers.ionosresolver.acme.dnsChallenge]
provider = "ionos"

Here is traefik-dynamic.toml:

###############################################################

Router configurations

###############################################################

To the internal router

[http.routers]
[http.routers.introuter]
entryPoints = ["web"]
rule = "Host(router.domain1)"
middlewares = [ "ourSitesSecure" ]
service = "routerconfig"

[http.routers.introutersec]
entryPoints = ["websecure"]
rule = "Host(router.domain1)"
service = "routerconfigsec"
[http.routers.introutersec.tls]

[http.routers.plexroute]
entryPoints = ["web"]
rule = "Host(plex.domain1)"
middlewares = [ "ourSitesSecure" ]
service = "plexweb"

[http.routers.plexroutesec]
entryPoints = ["websecure"]
rule = "Host(plex.domain1)"
service = "plexwebsec"
[http.routers.plexroutesec.tls]

[http.routers.nxtcloud]
entryPoints = ["web"]
rule = "Host(nxtc.domain1)"
middlewares = [ "ourSitesSecure" ]
service = "nextcloud"

[http.routers.nxtcloudsec]
entryPoints = ["websecure"]
rule = "Host(nxtc.domain1)"
service = "nextcloudsec"
[http.routers.nxtcloudsec.tls]

[http.routers.puresynapse]
entryPoints = ["web"]
rule = "Host(synapse.domain2)"
middlewares = [ "ourSitesSecure" ]
service = "synapse"

[http.routers.puresynapsesec]
entryPoints = ["websecure"]
rule = "Host(synapse.domain2)"
service = "synapsesec"
[http.routers.puresynapsesec.tls]

[http.routers.matrix]
entryPoints = ["web"]
rule = "Host(matrix.domain2)"
middlewares = [ "ourSitesSecure" ]
service = "matrix"

[http.routers.matrixsec]
entryPoints = ["websecure"]
rule = "Host(matrix.domain2)"
service = "matrixsec"
[http.routers.matrixsec.tls]

[http.routers.element]
entryPoints = ["web"]
rule = "Host(element.donain2)"
middlewares = [ "ourSitesSecure" ]
service = "element"

[http.routers.elementsec]
entryPoints = ["websecure"]
rule = "Host(element.domain2)"
service = "elementsec"
[http.routers.elementsec.tls]

[http.routers.synapse]
entryPoints = ["matrix", "matrixfed"]
rule = "Host(synapse.domain2)"
middlewares = [ "ourSitesSecure" ]
service = "synapse"

[http.routers.synapsesec]
entryPoints = ["matrix", "matrixfed"]
rule = "Host(synapse.domain2)"
service = "synapsesec"
[http.routers.synapsesec.tls]

[http.routers.whoami]
entryPoints = ["web"]
rule = "Host(whoami.domain1)"
middlewares = [ "ourSitesSecure" ]
service = "whoami"

[http.routers.whoamisec]
entryPoints = ["websecure"]
rule = "Host(whoami.domain1)"
service = "whoamisec"
[http.routers.whoamisec.tls]

[http.routers.guac]
entryPoints = ["web"]
rule = "Host(guac.domain1)"
middlewares = [ "ourSitesSecure" , "addGuacPrefix" ]
service = "guac"

[http.routers.guacs]
entryPoints = ["websecure"]
rule = "Host(guac.domain1)"
middlewares = [ "addGuacPrefix" ]
service = "guacs"
[http.routers.guacs.tls]

[http.routers.wallabag]
entryPoints = ["web"]
rule = "Host(wallabag.domain1)"
middlewares = [ "ourSitesSecure" ]
service = "wallabag"

[http.routers.wallabags]
entryPoints = ["websecure"]
rule = "Host(wallabag.domain1)"
service = "wallabags"
[http.routers.wallabags.tls]

################################################################

Services consfigurations

################################################################

Service to the router

[http.services]
[http.services.routerconfig.loadBalancer]
[[http.services.routerconfig.loadBalancer.servers]]
url = "http://localrouterUrl"

[http.services.routerconfigsec.loadBalancer]
[[http.services.routerconfigsec.loadBalancer.servers]]
url = "https://localrouterUrl"

[http.services.plexweb.loadBalancer]
[[http.services.plexweb.loadBalancer.servers]]
url = "http://plexserver:32400/web"

[http.services.plexwebsec.loadBalancer]
[[http.services.plexwebsec.loadBalancer.servers]]
url = "http://plexserver:32400/web"

[http.services.nextcloud.loadBalancer]
[[http.services.nextcloud.loadBalancer.servers]]
url = "http://nextcloudserver:8090"

[http.services.nextcloudsec.loadBalancer]
[[http.services.nextcloudsec.loadBalancer.servers]]
url = "http://nextcloudserver:8090"

[http.services.matrix.loadBalancer]
[[http.services.matrix.loadBalancer.servers]]
url = "http://matrixserver"

[http.services.matrixsec.loadBalancer]
[[http.services.matrixsec.loadBalancer.servers]]
url = "http://matrixserver"

[http.services.element.loadBalancer]
[[http.services.element.loadBalancer.servers]]
url = "http://matrixserver:8888"

[http.services.elementsec.loadBalancer]
[[http.services.elementsec.loadBalancer.servers]]
url = "http://matrixserver:8888"

[http.services.synapse.loadBalancer]
[[http.services.synapse.loadBalancer.servers]]
url = "http://matrixserver:8008"

[http.services.synapsesec.loadBalancer]
[[http.services.synapsesec.loadBalancer.servers]]
url = "http://matrixserver:8008"

[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://traefikserver:5555"

[http.services.whoamisec.loadBalancer]
[[http.services.whoamisec.loadBalancer.servers]]
url = "http://traefikserver:5555"

[http.services.guac.loadBalancer]
[[http.services.guac.loadBalancer.servers]]
url = "http://guacamoleserver:8889"

[http.services.guacs.loadBalancer]
[[http.services.guacs.loadBalancer.servers]]
url = "http://guacamoleserver:8889"

[http.services.wallabag.loadBalancer]
[[http.services.wallabag.loadBalancer.servers]]
url = "http://wallabagserver:8999"

[http.services.wallabags.loadBalancer]
[[http.services.wallabags.loadBalancer.servers]]
url = "http://wallabagserver:8999"

################################################################

Middlewares

################################################################

Redirect middleware

[http.middlewares]
[http.middlewares.ourSitesSecure.redirectScheme]
scheme = "https"
permanent = true

[http.middlewares.addGuacPrefix.addPrefix]
prefix = "/guacamole"

Just to reiterate, all of these services work when they are accessed from the WAN side on a public IP, but when trying to access them from the LAN using the WAN URL (domain1 or domain2), they all get redirected to the gateway (localrouterUrl). Thank you for the assistance, @moutoum Maxence.

Hi @OJFL,
Thanks for sharing me your configurations.

Are you sure Traefik is the one doing the wrong redirection?
Could you try to dig the URL you are trying to access and see the IP is resolves to?

From what I see, the configuration looks good to me. Maybe the problem comes from the network configuration. I'll continue to investigate :slight_smile:

Thanks,
Maxence

I am not sure, Maxence, and one of the reasons why I asked for some assistance troubleshooting the issue. I had already done that in the past but just to confirm I did it again right now and the address resolution of dig points to the external IP address of the gateway. It is the same thing for both domain1 and domain2 in the configuration files I sent you, all subdomain URLs. Thank you for continuing the investigation with me. I really appreciate that.

Hi @OJFL,

I might think about NAT hairpinning which is not widely supported by routers.

Could you try to curl the Traefik instance directly (not through your gateway)?
You can set the Host: plex.domain header to use the Traefik routing properly.
e.g: curl -H "Host: plex.domain.com" <traefik-ip>:80.

If it works, then ths issue is probably related to the NAT hairpinning which does not support Lan -> Wan -> Lan.

Thanks,
Maxence