This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dig and Curl results differ with a SNAT and DNAT during NextCloud config

Hello all - please note I am by far not a networking expert.

(Environment Information at the bottom of this post)

I'm setting up a NextCloud (NC) server and and at the point of creating/activating the SSL cert (via Let's Encrypt) for it and the NC install script is failing saying that the server (A Record) ip does not exist and errors out. If I run the activate SSL script portion of the install script it curls to ipv4bot.whatismyipaddress.com and comes back with the first IP address (x.x.x.218) of my WAN. However if I do a dig to opendns it comes back with the assigned external IP of the NC server (x.x.x.220). I created a DNAT and SNAT rules to initially get this configured, have the certificate and then move the entire config to WAF, after disabling the DNAT/SNAT.

The interface routing is as such:

(Interfaces - Additional Addresses)

(Interface config)

 

Any idea why results would differ or if I missed something on the configs that cause the wrong IP to be returned? I cleared out the dns cache of the NC server, ensured that the DNS used is 1.1.1.1 and 1.0.0.1. Our A record has been created for weeks now.

 

EDIT: commands run on the NC server:

dig +short myip.opendns.com @resolver1.opendns.com

curl -s -k -m 5 ipv4bot.whatismyipaddress.com

 

Environment:

UTM 9.509-3

WAN IP range X.X.X.216/29   (this is connection #2 of 2 WAN connections)

NextCloud VM (Ubuntu Linux)



This thread was automatically locked due to age.
  • Hi  

    First things first, dig uses Port 53 while curl uses Port80(since you're using an HTTP Page). You're using two different methods to check your Public IP and technically both are correct.

    It seems that you have configured Web Protection for the Network assigned to the NC server. Please note that WebProtection will take precedence over SNAT and hence traffic will be passed through the WAN Link Loadbalancing (unless you've changed it using this KBA) In that case, I suggest you Skip the Server under Web Protection > Filtering Options > Misc | Skip Transparent Mode Source Hosts/Nets. 

    Regards

    Jaydeep