this post was submitted on 28 Jun 2026
23 points (96.0% liked)
Selfhosted
60210 readers
832 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I have a reverse proxy set up already. The path from the outside goes:
DNS -> my IP -> reverse proxy -> server
I'm just wondering what happens when my own devices on the same network go to the domain.
You already have a bunch of NAT-level suggestions, so I wanted to mention there's an alternative solution: split-horizon DNS, or simply split DNS. Basically, you run a DNS server in your LAN (like pi-hole) which resolves to the private IP, so resolving externally and internally give different results. This way packets don't hit the router at all. You can also do a wildcard like
*.something.lanto avoid having to add a record for every service, and only configure your reverse proxy.What you are looking for is something called NAT Reflection/HairPin NAT/NAT loopback.
When you search for a "domain.example.com" your router loops you back at your reverse proxy and all the traffic remains "internal". Your website will still be externally accessible (the ones you setup to be).
Here's a example of how to set this up on PfSense router.
https://www.youtube.com/watch?v=ngwae1UvS-Q
Devices on your domain will typically do a DNS lookup, which gets your public IP. Then they connect to that public IP, which your router recognises and redirects back into your network. The router then forwards that to your reverse proxy.
If your router isnt doing that properly (timing out usually), look up a setting usually called "NAT loopback" or "NAT hairpinning". Thats the setting that detects your public IP, and redirects it back inward.
Also if you have your own net filter like PiHole or AdGuard Home with DNS rewrites set up, and you use it as a DNS server in WiFi settings, then it works a small bit differently. (I need to do this because my current ISP removed their DNS settings page for the new model). A public IP and NAT routing is never needed, as the device contacts the DNS server via the router Access Point, and the DNS server translates the service's FQDN into its internal IP. Aside from that, provided everything is set up correctly, all actual data packets go from device ←→ router ←→ service. If the router lost connection to the Internet this wouldn't break communications.
I had issues with that recently, I had a few of my internal services set to resolve internally, but pihole was making a mess of them and returning IPv6 addresses in addition to the IPv4 internal addresses. And then browsers would try use the broken ipv6 address and fail. I just happily rely on hairpinning now, it hardly makes a difference in the scheme of things.
https://en.wikipedia.org/wiki/Network_address_translation#NAT_hairpinning
TL;DR Your router sees you trying to reach your external address and routes the connection back to your LAN without leaving the network.
This does still depend on a functional internet connection however, as your client gets your public IP from a public DNS server over the Internet.
If you were to run a DNS server locally (I use pihole for this), you could have that DNS respond with your local IP, allowing clients within your LAN to resolve the name without needing to reach out to public DNS. This means your local connections will still work when your internet is down; it also provides more privacy by keeping those requests local and can let you make local-only names that aren't publicly listed.
Of the ~28 FQDNs in my setup, only 4 are public. The rest is local/vpn only and not publicly listed due the above. The reverse proxy then drops all connections that don't use one of those recognised names, before even completing the TLS handshake. (So direct connections from someone port scanning my IP or using a domain name someone else has pointed at my IP are completely ignored/dropped without response. The server doesn't even send the TLS cert so as to not expose the names defined in it.)
Your diagram is almost right, but I think it will help to understand more of the details. It's important to understand the difference between DNS (domain name lookup) and IP routing.
To break your diagram down more, this is what happens when any computer looks up your website:
That's all very simplified, of course.
As others pointed out, things may seem to work differently from the "inside", if hairpinning is not available or enabled. This is not related to DNS, but to IP routing. The firewall doing NAT can get confused and not know what to do when an internal request goes to an external IP that it itself has. When it turns that around and routes it back to the internal network, that's called hairpinning.
One "fix" for this, often used in enterprises, is to use so-called split DNS. All that means is that if you're asking your internal DNS server for an internal name, it will give you the internal address (192.168.1.123 for example), but an external client would get an external IP.
TL;DR: DNS and IP routing are separate concerns and happen at different parts of the TCP/IP stack.