I’ve got Immich working great on Unraid, but if I’m on my network I can’t really use it. Just fails to resolve the dns. I looked it up and it’s that my router doesn’t support hairpin or something. It’s a Aginet hb810. I found a workaround in the Immich client where you can add a second entry that’s network specific, but it doesn’t seem to work very reliably.
What are my options?
Are you interested in the networking side of self hosting? If so, you should get a better router, something you can run OPNsense or similar on. There are other “options”, but they’re workarounds that avoid fixing the real problem.
On your LAN DNS server (say, pi-hole), you could add an A record for your Immich’s domain name that points to the internal IP address so clients on your LAN would simply resolve the LAN IP instead of trying to do fancy NATing. Make sure your browser doesn’t try to do DNS over HTTPS, which would skip your local dns.
Or you could run everything on a meshVPN like Tailnet. That way the (VPN) IP of the Immich server doesn’t change and the Tailnet will route the traffic over your LAN when your clients are local.
Ahh, so basically take dns off the aginet router.
Yeah, setup a pi-hole container/server to do DHCP and disable it on your router. The documentation should cover it, but you have to use network_mode: host in order for it to do DHCP.
You can then add an A record entry for your Immich server’s domain name pointing to the LAN IP and so any device on your LAN will resolve its domain to the LAN IP.
You also get pi-hole DNS filtering/adblock and, probably, a larger DNS cache than what the router provides.
The term you would search for here is “split-horizon DNS”. Assuming you’re using a real domain name with hosts, you want a DNS server inside that resolves the LAN address, and the outside DNS server for everyone else resolves your WAN address (which presumably you reverse-proxy to inside host).
Even better is to not expose the service at all from the outside, use a VPN like Tailscale, and then use their MagicDNS service on the tailscale network to keep everything behind the firewall.
Every service you expose to the outside is more attack surface.
