docs: add Split Horizon hairpin NAT fix to networking architecture
[ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
9de543c076
commit
98aaba98da
1 changed files with 8 additions and 0 deletions
|
|
@ -115,6 +115,14 @@ VMs tag traffic on vmbr1 to isolate workloads. pfSense bridges VLAN 20 to the up
|
|||
- Client source IPs are preserved (no SNAT on 192.168.1.x → 10.0.20.x path)
|
||||
- Technitium logs show real per-device IPs for analytics
|
||||
|
||||
**Split Horizon / Hairpin NAT fix (192.168.1.0/24 → *.viktorbarzin.me)**:
|
||||
- TP-Link router does NOT support hairpin NAT — LAN clients can't reach the public IP (176.12.22.76) for non-proxied domains
|
||||
- Technitium's Split Horizon `AddressTranslation` post-processor translates `176.12.22.76 → 10.0.20.200` (Traefik LB) in DNS responses for 192.168.1.0/24 clients
|
||||
- DNS Rebinding Protection has `viktorbarzin.me` in `privateDomains` to allow the translated private IP
|
||||
- Only affects non-proxied domains (ha-sofia, immich, headscale, etc.) — Cloudflare-proxied domains resolve to Cloudflare IPs and are unaffected
|
||||
- Other clients (10.0.x.x, K8s pods) are NOT translated — they reach the public IP via pfSense outbound NAT
|
||||
- Config synced to all 3 Technitium instances by CronJob `technitium-split-horizon-sync` (every 6h)
|
||||
|
||||
**K8s cluster DNS path**:
|
||||
- CoreDNS forwards `.viktorbarzin.lan` to Technitium ClusterIP (10.96.0.53)
|
||||
- CoreDNS forwards public queries to pfSense (10.0.20.1), 8.8.8.8, 1.1.1.1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue