Working in a local network with ports that are forwarded by NAT ?

Supervisor3000

There is pfsense.
There is a WAN and a LAN.
There is a WEB server inside the LAN.
4ffb9883-5fe2-4c78-acc6-b918ca9320d9-snap_screen_20230211022817.png
To access the WEB server correctly from the inside:
92340b81-abac-4e3f-b2df-a6156528bc15-snap_screen_20230211022915.png
But there is a reference from the outside and on other ports to the mail server:
1e8a5ec6-6953-44a8-894b-8c4078ee7e49-snap_screen_20230211022953.png
How can I get LAN users to use non-standard imaps_IMAP and SMTP_IMAP as well?
Tried different things. It does not work.
Help.

SteveITS

@supervisor3000 Are the email accounts using that same hostname? Try nslookup. It will either resolve to that LAN IP or not. If it does clear the DNS cache on the LAN PC.

NAT reflection will also work but split DNS as you’ve done is usually better.

Supervisor3000

@steveits

The host is resolved correctly.
To the local server address.
And consequently the changed port number the server does not understand.
What to do?
In kerio control it was enough to add in the rule in the source not only internet, but also local.
Users are used to using their laptops both in and out of the office.
Do you need to reconfigure their settings? That's not serious.

SteveITS

@supervisor3000 Can you explain the port question in more detail? I don’t understand.

NAT can change ports via the internal destination port. Split DNS cannot. If you’re using NAT to change the inbound port then don’t use split DNS, use the public IP, and enable reflection on those NAT rules.

Supervisor3000

@steveits
Thank you so much.
Before the reflection was turned on, the internet access was fine under the rule:
Снимок экрана20230224013506.jpg

But after enabling this rule, it didn't work.
I had to replace it with this ( and internet access worked):

Снимок экрана20230224013517.jpg
And I don't understand, why is that?!

SteveITS

@supervisor3000 The top would allow port 53 to the LAN IP. The bottom allows 53 to any IP on the firewall, including the WAN IP or other interfaces. Presumably whatever is making DNS queries is now not using the LAN IP?

Reflection on a given NAT rule doesn't change anything on how other rules are processed.

Supervisor3000

@steveits said in Working in a local network with ports that are forwarded by NAT ?:

@supervisor3000 The top would allow port 53 to the LAN IP. The bottom allows 53 to any IP on the firewall, including the WAN IP or other interfaces. Presumably whatever is making DNS queries is now not using the LAN IP?

Reflection on a given NAT rule doesn't change anything on how other rules are processed.

Of course, all LAN users continue to use the LAN IP as their gateway.
That's why I'm surprised that another rule was needed after the reflection!