I am able to serve my local IP (10.0.10.10:30050) to the internet and can access it from other networks. How do I access it locally however? Maybe this is a question of Split DNS, but I am not fully sure.
For example, on a separate network, I can access immich.empyrea.dev without issues. It redirects to https://immich.empyrea.dev and also has a Certificate from Let’s Encrypt.
But when I am on my LAN, I cannot navigate to https://immich.empyrea.dev, I get a “ERROR_SELF_SIGNED_CERT”.
I tried setting up an Override in my Unbound DNS via my OPNsense instance, but that did not work + I would need to manually add the port if it did work.
Maybe there is some theory that I am not understanding here. Thanks
Do you use a self-signed cert for OPNsense web UI? At a glance, I’d assume you’re hitting OPNsense (DNS pointed at external IP, routes to OPNsense, OPNsense receives packets for HTTP(S) port on LAN, tries to respond with its own web server).
You wouldn’t need to manually add the port if you point the local DNS at the Caddy host. You’d only need to add the port if you pointed it at the Immich host. If you point internal DNS for this domain at Caddy, your browser will talk to it over default HTTP(S) ports and Caddy will respond with its valid certificate and reverse-proxy to the Immich host as configured.
The other typical solution for this issue is called Hairpin NAT. This configuration tells OPNsense to accept packets from the LAN if they’re addressed to the WAN interface and double-handle them through the firewall, which allows OPNsense to route it through port forwarding. This does involve a (possibly quite minor depending on your hardware) performance hit from the double handling. OPNsense has a write-up here: Reflection and Hairpin NAT — OPNsense documentation