How can I use public IP's on the LAN?
-
sticky:
@http://forum.pfsense.org/index.php/topic:System:
Advanced:
If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection" -
sticky:
@http://forum.pfsense.org/index.php/topic:System:
Advanced:
If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"Thanks a ton. I have a public IP mapped to an internal lan IP host/server on port 80. When my lan machine try to reach this server through the public IP it does not work. It works if I use private IP or when I am trying to reach the server from outside the firewall.
If I disable the automatic creation of NAT redirect rules for access to your public IP addresses from within my internal networks, this behavior would disappear?
Am I on the right track here?
-
I'm not really sure what you mean.
To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.Why would you want to disable the autocreation of NAT rules?
-
I'm not really sure what you mean.
To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.Why would you want to disable the autocreation of NAT rules?
I am not sure I did… I think disable checkbox "on" is the default pfsense from installation..
-
yes.
Per default the checkbox is "on". (meaning no reflection rules will be installed)
But you have to turn the box "off". (meaning the reflections will be installed) -
yes.
Per default the checkbox is "on". (meaning no reflection rules will be installed)
But you have to turn the box "off". (meaning the reflections will be installed)Thanks - you are a hero!
-
I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.
I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.Scenario:
Web server's private IP = 10.10.240.1
Web server's public IP NAT'd 1-to-1 thru a firewall = 64.216.232.11
All hosts on the private 10.10.x.x/16 network have 10.10.240.100 as their primary DNS server in their TCP/IP configuration.
When a host queries for a name resolution, the server either knows it right off the bat because it's cached or because it's authoritative, or it goes directly to Root Hints and finds out.Web server's Internet-valid FQDN: www.mydomain.com
Desired end result:
People out on the internet get to web server via http://www.mydomain.com
People on the private ten-dot LAN want to get the web server with exactly the same name, http://www.mydomain.comTasks:
1. Create a static zone on the internal DNS server 10.10.240.100 for mydomain.com
2. Create an A record for www in the mydomain.com zone that resolves to 10.10.240.1
3. Test your work.
4. Have a beer, scotch, milk, or whatever it is you enjoy. ;) -
I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.
I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.Scenario:
Web server's private IP = 10.10.240.1
Web server's public IP NAT'd 1-to-1 thru a firewall = 64.216.232.11
All hosts on the private 10.10.x.x/16 network have 10.10.240.100 as their primary DNS server in their TCP/IP configuration.
When a host queries for a name resolution, the server either knows it right off the bat because it's cached or because it's authoritative, or it goes directly to Root Hints and finds out.Web server's Internet-valid FQDN: www.mydomain.com
Desired end result:
People out on the internet get to web server via http://www.mydomain.com
People on the private ten-dot LAN want to get the web server with exactly the same name, http://www.mydomain.comTasks:
1. Create a static zone on the internal DNS server 10.10.240.100 for mydomain.com
2. Create an A record for www in the mydomain.com zone that resolves to 10.10.240.1
3. Test your work.
4. Have a beer, scotch, milk, or whatever it is you enjoy. ;)Ah - The joys of Scotch. Its the next best thing since the earlier peg of scotch!!
I hope you don't mind my writing off the forum because my notes might just be too flooding for people who are guru there.
1. Pfsense comes with a dns package. Would you think that it will suffice?
2. My domain is hosted with 1and1 and I am using http redirect to a specific IP, and in such cases, would you say that this solution still holds?
3. I also have problems when people are trying to reach public IP for example 138.99.151.72:8085. I think there is some disclaimer about ports greater than 500 not working with reflection unless some more recipe is applied..
Any help will be appreciated.
-
…
1. Pfsense comes with a dns package. Would you think that it will suffice?
2. My domain is hosted with 1and1 and I am using http redirect to a specific IP, and in such cases, would you say that this solution still holds?
3. I also have problems when people are trying to reach public IP for example 138.99.151.72:8085. I think there is some disclaimer about ports greater than 500 not working with reflection unless some more recipe is applied..
You can use the dnsforwarder of the pfSense. Just make your local DNS server forward everything it doesn't find to the pfSense and enter that override there.
Reflection does work for ports higher 500, just not for portranges(!) greater than 500 ports.
-
1. I just took a look at Services:DNS Forwarder in my pfSense box. It looks like you might could create some records there to intercept LAN name queries.
a. a host on the LAN queries for www.mydomain.com
b. the DNS server for www.mydomain.com is an internet domain server, say out on 1&1
c. pfSense intercepts that query, because DNS Forwarder is turned on and IT is the primary DNS server as far as your LAN host is concerned
d. pfSense says "aha! I have an entry for www.mydomain.com that points back to this IP (on the LAN)"' and gives it to your workstation host.In this scenario, public hosts still get the public IP from 1&1, but private hosts - who ask the pfSense box for IPs when doing a DNS query - get whatever records you define there on the DNS Forwarder page.
2. I'm not sure by what you mean with the http redirect, etc. - but yes, I think it should still hold.
3. Create a name for that IP! 138.99.151.72
a. Create a name at 1&1 that services the public network. eightyeightyfive.yourdomain.com for example, that resolves to 138.99.151.72
b. Create a record on pfSense's DNS Forwarder page that will intercept LAN host queries for eightyeightyfive.yourdomain.com - it will NOT give them 138.99.151.72, it will give them whatever the private IP is for that server. -
1. I just took a look at Services:DNS Forwarder in my pfSense box. It looks like you might could create some records there to intercept LAN name queries.
a. a host on the LAN queries for www.mydomain.com
b. the DNS server for www.mydomain.com is an internet domain server, say out on 1&1
c. pfSense intercepts that query, because DNS Forwarder is turned on and IT is the primary DNS server as far as your LAN host is concerned
d. pfSense says "aha! I have an entry for www.mydomain.com that points back to this IP (on the LAN)"' and gives it to your workstation host.In this scenario, public hosts still get the public IP from 1&1, but private hosts - who ask the pfSense box for IPs when doing a DNS query - get whatever records you define there on the DNS Forwarder page.
2. I'm not sure by what you mean with the http redirect, etc. - but yes, I think it should still hold.
3. Create a name for that IP! 138.99.151.72
a. Create a name at 1&1 that services the public network. eightyeightyfive.yourdomain.com for example, that resolves to 138.99.151.72
b. Create a record on pfSense's DNS Forwarder page that will intercept LAN host queries for eightyeightyfive.yourdomain.com - it will NOT give them 138.99.151.72, it will give them whatever the private IP is for that server.Wow - Kris this is magic and you are such a good explainer. I am sure you teach well to anyone whio comes for your help in your area,=.
Many thanks again. I feel the above explanation could be somewhere in howto..
My best regards
Anil Garg -
I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.
I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.If you just have a single server, then i agree.
But i think it just depends on what you are trying to accomplish.
If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.
-
I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.
I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.If you just have a single server, then i agree.
But i think it just depends on what you are trying to accomplish.
If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.
This is a great idea too because in real world, each server has unique primary function.
Nice idea. -
Tried all that and unfortunately it is not working for me. I have been using Pfsense for about 2 years now and have very mixed results with getting nat reflection to work ( or at least whatever workaround was popular at the time ). I have Disable NAT reflection unchecked, and I tried the method you listed off adding the domain to the DNS Forwarder. Any help or tips would be greatly appreciated. network looks like this:
Pfsense –> Apache server:80 (accessible from outside LAN but not from the inside)
--> other machines- <pfsense><version>3.0</version> <lastchange><theme>pfsense</theme> - <system><optimization>normal</optimization> <hostname>zenserver</hostname> <domain>zenstudios.blogdns.org</domain> <username>admin</username> <password></password> <timezone>America/Chicago</timezone> <time-update-interval><timeservers>pool.ntp.org</timeservers> - <webgui><protocol>https</protocol> <certificate><private-key></private-key></certificate></webgui> - <ssh><authorizedkeys></authorizedkeys></ssh> <maximumstates><shapertype><dnsallowoverride></dnsallowoverride></shapertype></maximumstates></time-update-interval></system> - <interfaces>- <lan><if>xl0</if> <ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet> <media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> - <wan><if>rl0</if> <mtu><media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <spoofmac><disableftpproxy><ipaddr>dhcp</ipaddr> <dhcphostname></dhcphostname></disableftpproxy></spoofmac></mediaopt></media></mtu></wan> - <opt1><descr>ZenWireless</descr> <if>ath0</if> - <wireless><standard>11g</standard> <mode>hostap</mode> <protmode>off</protmode> <ssid>Colosodian</ssid> <channel>0</channel> <authmode><txpower>99</txpower> <distance>- <wpa><macaddr_acl><auth_algs>1</auth_algs> <wpa_mode>1</wpa_mode> <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt> <wpa_pairwise>CCMP TKIP</wpa_pairwise> <wpa_group_rekey>60</wpa_group_rekey> <wpa_gmk_rekey>3600</wpa_gmk_rekey> <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa> - <wep><enable>- <key><value></value></key></enable></wep></distance></authmode></wireless> <bridge>lan</bridge> <ipaddr><subnet>32</subnet> <gateway><spoofmac><mtu><enable></enable></mtu></spoofmac></gateway></ipaddr></opt1></interfaces> <staticroutes>- <pppoe><username><password></password></username></pppoe> - <pptp><username><password><local></local></password></username></pptp> <bigpond>- <dyndns><type>dyndns</type> <username><password></password></username></dyndns> - <dhcpd>- <lan><enable>- <range><from>192.168.1.100</from> <to>192.168.1.110</to></range> - <staticmap><mac>00:04:4b:06:f6:4c</mac> <ipaddr>192.168.1.3</ipaddr> <hostname><descr>Tons0fun</descr></hostname></staticmap> - <staticmap><mac>00:15:f2:15:f9:d4</mac> <ipaddr>192.168.1.4</ipaddr> <hostname><descr>Ryo</descr></hostname></staticmap> - <staticmap><mac>00:1b:63:c5:9d:a4</mac> <ipaddr>192.168.1.5</ipaddr> <hostname><descr>Stall</descr></hostname></staticmap> - <staticmap><mac>00:11:5b:ac:5a:24</mac> <ipaddr>192.168.1.6</ipaddr> <hostname><descr>Demon</descr></hostname></staticmap> - <staticmap><mac>00:13:8f:49:9d:a8</mac> <ipaddr>192.168.1.7</ipaddr> <hostname><descr>Zen Server</descr></hostname></staticmap> <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd> - <pptpd><mode><redir><localip></localip></redir></mode></pptpd> <ovpn>- <dnsmasq><enable>- <hosts><host>zenstudios.blogdns.org</host> <domain>zenstudios.blogdns.org</domain> <ip>192.168.1.3</ip> <descr>Zen Server Website</descr></hosts></enable></dnsmasq> - <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> - <diag><ipv6nat></ipv6nat></diag> <bridge><syslog>- <nat>- <ipsecpassthru><enable></enable></ipsecpassthru> - <rule><protocol>tcp/udp</protocol> <external-port>50511</external-port> <target>192.168.1.3</target> <local-port>50511</local-port> <interface>wan</interface> <descr>Tons0fun's Bittorrent</descr></rule> - <rule><protocol>tcp/udp</protocol> <external-port>80</external-port> <target>192.168.1.3</target> <local-port>80</local-port> <interface>wan</interface> <descr>Apache Zen Server</descr></rule> <advancedoutbound></advancedoutbound></nat> - <filter>- <rule><interface>wan</interface> <protocol>tcp/udp</protocol> - <source> <any>- <destination><address>192.168.1.3</address> <port>50511</port></destination> <descr>NAT Tons0fun's Bittorrent</descr></any></rule> - <rule><type>pass</type> <interface>opt1</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp/udp</protocol> - <source> <any>- <destination><any></any></destination> <descr>Allow Wireless Connections</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule> - <rule><type>pass</type> <descr>Default LAN -> any</descr> <interface>lan</interface> - <source> <network>lan</network> - <destination><any></any></destination></rule> - <rule><interface>wan</interface> <protocol>tcp/udp</protocol> - <source> <any>- <destination><address>192.168.1.3</address> <port>80</port></destination> <descr>NAT Apache Zen Server</descr></any></rule></filter> <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec> <aliases><proxyarp>- <cron>- <minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog - <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a - <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh - <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout - <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update - <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot - <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c - <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/checkreload.sh - <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/etc/ping_hosts.sh - <minute>*/140</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/sbin/reset_slbd.sh</cron> <wol>- <installedpackages><menu> <service>- <package><name>Dyntables</name> <descr>Dynamically reloads table data using Ajax instead of wrong meta refresh tag..</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/dyntables/pkg/dyntables.xml</config_file> <version>1.0</version> <status>ALPHA</status> <maintainer>me@daniel.stefan.haischt.name</maintainer> <required_version>1.2</required_version> <configurationfile>dyntables.xml</configurationfile> <depends_on_package_base_url>http://www.pfsense.com/packages/All</depends_on_package_base_url> <depends_on_package>scriptaculous-js-1.7.1_1.tbz</depends_on_package> <depends_on_package>windows_js-1.3_1.tbz</depends_on_package></package> - <revision><description>/services_dnsmasq.php made unknown change</description> <time>1209521711</time></revision> - <rrd><enable></enable></rrd></service> </menu></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></bigpond></staticroutes></lastchange></pfsense> -
You tried it wrong
Did you read this thread: http://forum.pfsense.org/index.php/topic,8700.msg48871.html#msg48871 ?
You have an entry to redirect http://zenstudios.blogdns.org.zenstudios.blogdns.org right now.
you need more something along the lines of this:
- <hosts><host><domain>psymia.mine.nu</domain>
<ip>10.0.0.10</ip></host></hosts> - <hosts><host>www</host>
<domain>psymia.mine.nu</domain>
<ip>10.0.0.10</ip></hosts>
- <hosts><host><domain>psymia.mine.nu</domain>
