Routing of traffic when accessing my server via it's public address

[getack 4]

Hello, 

This is probably a more general network question, but since I ask this question in the context of using Emby, and I worried about being shunned on StackOverflow or ServerFault, I ask it here instead :).

I have my server exposed to the public internet, sitting behind a dedicated domain I have purchased for this purpose.

All my devices are configured to connect to the server using this public domain. I do this because sometimes I'm not on my local network (where the server is housed), and then I don't want to reconfigure my device every time. This is especially the case for the less technical inclined members of my household, who also have devices set up. I like things to "just work".

My question is: How is traffic routed in the case where I connect to my server using it's public domain, while I'm on the same local network?

I don't have any restrictions or limitations on my internet connection, but it would be rather silly if the traffic is routed all the way to my ISP, only to be routed back to my server, sitting in the closet next to me. I am also slightly worried if all that traffic goes through my ISP, maybe one day they'll start snooping and asking questions. Same goes for CloudFlare, whom I use as a cache and as my DNS for the domain itself.

Your illuminating answers will be greatly appreciated!

[KMBanana 116]

Depends on your router setup, but if you have cloudflare setup to cache I suspect it's extraordinarily likely you are going out to the internet, to cloudflare, and then back to your server.  

You can do a tracert command to your domain to check the path of ordinary traffic.  

On your home router I would set a DNS entry manually so your domain points to your local server address.  (Router would need to advertise itself as the DNS server in DHCP for this to work).  Devices like chromecast which ignore dhcp DNS entries and just use google's would still go out to the internet.  

[Q-Droid 989]

You might be in luck. If your Emby server is configured correctly then devices running Emby apps can switch automatically and seamlessly between WAN and LAN connections. You don't have to change the app settings. At least Android apps do this. I don't know if others like Apple do the same.

If you're using Cloudflare to reverse proxy then connections to the public name are indeed going all the way out to CF and back to your server. If Cloudflare is DNS only then the connection would go to your WAN IP, in most cases as a NAT loopback/hairpin which doesn't leave the router. Browser connections will go where you send them, LAN or WAN.

 

[getack 4]

Thanks for the responses so far!

I suspected that I might have to do something like setup my own DNS in order to force on-network traffic to stay within the network.

I have CF setup as a cache, for all the metadata assets (not the actual content - apparently they don't like that).

@Q-Droid, can you please elaborate on what I need to to do in order to ensure that my server is setup correctly? If it's possible to do as you say in a transparent manner, then I'll be all for that.

But ultimately, I can probably just set my devices up with the IP address of the server, instead of the public name. My Android tv chromecast never leaves home, and in the rare event where I might take it with me to some vacation spot, then it takes 2 minutes to set it up with the public name.

I rarely consume content with my phone/laptop while at home, so they can be setup with the public name. But again, actually logging out and reconfiguring the connection is not a lot of effort   

[CassTG 113]

If you have a spare Raspberry Pi or able to run vps locally, you could spin up an adguard instance (ui better than pihole imho) then add a few dns rewrite rules for local hosting, so if it was myemby.mydomain.com you would add that and point it to your emby server. Obviously your router would need to point to your adguard instance for all dns queires but then you get network wide ad removal / malware blocking etc thrown in

[Q-Droid 989]

26 minutes ago, getack said:

@Q-Droid, can you please elaborate on what I need to to do in order to ensure that my server is setup correctly? If it's possible to do as you say in a transparent manner, then I'll be all for that.
  

It's pretty simple actually. If your Emby dashboard shows the correct LAN and WAN access URLs and they both work as expected then you're set. If you're LAN is not segmented (single subnet) then server discovery should work for most devices. But even when you add the server manually in the apps they pull the connection details from the server and both the internal and external URLs are saved with the settings.

If you want to reference your LAN connection by name rather than IP you can do as others have suggested and have a local DNS entry for it. But it doesn't have to be the same as the public name.

[rbjtech 5284]

It's difficult to say how it is 'working' without looking into the your network specifics, but the way this 'should' work is a thing called a loopback NAT - it's non-techy name is a 'hairpin'.

DNS is resolved externally (as it should be), but the router will know that the external IP is actually your own IP and thus it loops it back onto your LAN rather than go out to your ISP.

The easiest way to check this is simply do a traceroute to the WAN IP - if you see it hit your WAN IP on the first hop - then it proves it is looping back.  If it goes to other WAN addresses via your gateway/router, then it's not..

But Q-Droid has the best answer - you should configure both LAN and WAN addresses on the clients, that way, LAN traffic (even DNS) will stay local if using the LAN - which keeps usage away from prying ISP's.

[getack 4]

Thanks for the follow-up responses.

Running a traceroute on my domain lists a bunch of IPs and addresses associated with my ISP, and even further into the networking infrastructure in my country. So I guess my router does not do the hairpin thing.

I can set up custom DNS on my router, and maybe one day I'll finally get a PiHole setup, and then redo the DNS on there. But as others have pointed out, certain devices (like my Chromecast) will ignore whatever DNS server is set by DHCP, and they'll just go and use their own. I primarily use my chromecast to watch media at the moment. So I've reconfigured my Emby App on there to use the server's IP address and port. It's imo the simpler solution, and now at least I'm guaranteed that I don't route all my traffic half way around the planet.