Why isn't it possible to access NATed services by the public IP address from LAN

Jesse7

Thanks Sullrich. I red the entire FAQ about 4 months ago when I was new to PF I guess I forgot about it.

Cyrandir

I think this should be included at some point.  I know 1.0 is the priority right now and that's fine, but at some point this would be useful.

Jesse7

I maybe a little confused but yeh it would be useful for testing if you don't have access to a seperation internet connection at least.

Sharaz

im not sure why you would access something that is already on your local lan, via its external ip address?  (well i guess other than for testing).

Guest

Usually because there is one DNS name and that is for an outside address.  yes, there are ways around this, but they are a hassle.

lsf

Well, this is how NAT works, you can't easily traverse it out and back in. So unless someone writes a patch to acomplish this i'd say no.
But to say never is a bit strong. Although I would not like my firewall doing this. For testing you should either get somone to test for you, or have a second link (dialup or whatever) to test with.
Another thing is that testing from the inside will never be the same as testing from the outside. Doing so will often give you more greif then you would like.
I know this from learning it the hard way, stuff working on the inside of our netwrok just not when crossing the border gateway, or testing stuff with DNS and using our own DNS in the process.

My wote to this kind of function would be no. It's just another "footshooting feature" in my opinion.

sniffer

@Sharaz:

im not sure why you would access something that is already on your local lan, via its external ip address?  (well i guess other than for testing).

1-To test external DNS
2-To test some rules (The rule are not the same via the Lan NIC and the OPT1 NIC)

But with proxy,  its possible to test it, but you have to search active proxy…

Thanks all for your answer

sullrich

@sniffer:

@Sharaz:

im not sure why you would access something that is already on your local lan, via its external ip address?  (well i guess other than for testing).

1-To test external DNS
2-To test some rules (The rule are not the same via the Lan NIC and the OPT1 NIC)

But with proxy,  its possible to test it, but you have to search active proxy…

Thanks all for your answer

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

sniffer

yeah but modified /etc/hosts dont proved that external DynDns are ok.
And dont proved the Firewall Ruleset are ok to reach Web server in the DMZ via the WAN interface…

If i understand what you tell (Im very bad in English)

sullrich

@sniffer:

yeah but modified /etc/hosts dont proved that external DynDns are ok.
And dont proved the Firewall Ruleset are ok to reach Web server in the DMZ via the WAN interface…

If i understand what you tell (Im very bad in English)

Use the DNS forwarder to override hosts, not /etc/hosts.  This is the same as m0n0wall.  Check their docs out for more information.

sniffer

Ok, i will read on this DNS Forwarder…
Thank's for your support!

Sharaz

@sullrich:

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

LMAO and what if you have one of those accounts where you pay by the megabit??  oops!

tmueko

It is possible, but not allways usefull:
Lets say 192.168.1.0/24 is LAN-Net with Host x.x.x.1(A) and x.x.x.2(B); 172.16.1.1(C) is Address of WAN; You have a NAT-Rule to pass Port-X to x.x.x.1; Normal Traffic from x.x.x.2 to 172.16.1.1 would be forwared without nat and the answer will be send from x.x.x.1 back to x.x.x.2: Bang. Make a NAT-Rule on the LAN Interface to rewrite all Traffic from x.x.x.2 to x.x.x.1 to come from 172.16.1.1.
Now Traffic comes from A to C, gets rewritten and Paket travel from C to B with source-address of C. The Answer from B will be send back to C and then after NAT Back to A with Source-Address of C…
clear :-))

tmueko

billm

@Sharaz:

@sullrich:

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

LMAO and what if you have one of those accounts where you pay by the megabit??  oops!

Won't go out the WAN, just go through the firewall instead of staying on the local wire.

–Bill

sullrich

@billm:

@Sharaz:

@sullrich:

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

LMAO and what if you have one of those accounts where you pay by the megabit??  oops!

Won't go out the WAN, just go through the firewall instead of staying on the local wire.

–Bill

Yup and simply burn up your firewalls throughput.

sullrich

Thanks to http://www.gsihosting.com/ we now have this feature.  I would like to thank GSI Hosting for sponsoring the feature.  This feature is now in RELENG_1 and will appear on the next version.

sniffer

Good news!

Thanks to all the team and gsihosting.com !

sullrich

Not to drag out an old subject but this message is to alert the userbase that gsihosting skipped out on paying their bill.  pfSense does not recommend using these guys for anything.

Pretty bad to screw over an open source project….  If you or anyone you know uses gsi please ask them to let their hosting provider know how bad it is to basically cut off all communication and not pay their bill when we spent a LOT of time on this feature.

rsw686

@sullrich:

@sniffer:

@Sharaz:

im not sure why you would access something that is already on your local lan, via its external ip address?  (well i guess other than for testing).

1-To test external DNS
2-To test some rules (The rule are not the same via the Lan NIC and the OPT1 NIC)

But with proxy,  its possible to test it, but you have to search active proxy…

Thanks all for your answer

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

Split DNS is possible if you have multiple IPs. I only have 1 and multiple servers on a VMware Server box. This is my home network and don't have money to spend for multiple IPs. So theres no easy way to seperate traffic to the same hostname on different ports to different machines without this feature. Yes you can go directly to the machine name, but for mail its a pain to switch back and forth when your inside and outside the network. Same with web applications that have hard coded address (Gallery is just one of them).