Internal traffic all shows router IP address

Hello! New Vaultwarden user here, switching over from LastPass (I’m sure there are going to be a lot of us in the coming days/weeks).

I’ve spent most of this week researching/learning and getting everything set up. I’ve got VW running in the Docker container on my (on-prem) Linux server behind my Apache reverse proxy and everything seems to be working great (web vault, browser extensions, mobile apps, websocket notifications, e-mails, etc. etc.). I’m very impressed and am now wondering why I stuck with LP for so long (12 years!).

Anyway, the one thing I can’t quite figure out is why devices on my internal (home wireless) network all get logged as my router’s IP address (192.168.1.1). Not a huge deal, except I also set up fail2ban and a few times already accidentally ended up banning that IP and then all internal traffic to VW stopped working. Also, that IP shows up in e-mails like “a new device signed in.” Again, not a huge issue since it’s all internal, and external traffic (i.e., if I turn off WiFi on my phone) is all logged properly.

After researching in these forums and the internet at large I’ve tried playing around with the ip_header settings, between X-Real-IP and X-Forwarded-For and have the RequestHeader stuff in the Apache config, but just can’t seem to figure out the magic combination to get the actual device IP logged.

I’m wondering if it’s related to my network config. I have the (typical?) three VLAN setup (primary, guest, IoT) so I’m trying to look at all the various firewall rules on my ER-X from when I set this all up years ago to see if it’s something with NAT/hairpin, etc.

Any hints? And thanks!

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.27.0
* Web-vault version: v2022.12.0
* Running within Docker: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: true (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.39.2
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

Arrgh.

Of course right after posting this I was checking some other of my Apache logs (for my sites not behind the reverse proxy) and wouldn’t you know it all internal traffic to Apache shows the router IP. Apparently I’ve just never noticed before.

So this probably isn’t a VW thing but something else on the network/Apache side of things.

This is probably due to your router masquerading the traffic through hairpin loopback as you’re not using a split DNS setup where the external addresses are resolved to internal IP addresses. And as your firewall is NAT:ing the traffic, it’s IP address will show up in logs instead of your internal devices IP addresses.

Yeah, I figured it was probably that, so a bigger issue than just VW for me.

Need to determine If I feel like going down that rabbit hole again (replacing hairpinning with DNAT on my ER-X) or I just leave it and deal with the internal-only traffic issue.

I was able to set up split DNS using my Pi-Hole. Added entries for each of my internal site URIs (including Vaultwarden) to avoid the hairpin/masquerade and now I’m seeing local client IP addresses in the Apache logs, so VW should start using those in fail2ban, e-mails, etc.