Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enabling loopback functionalty

    NAT
    4
    15
    17.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gloom
      last edited by

      I really should make sure I've had a second morning coffee before posting. I completely missed the bit about accessing the external address from inside the LAN  ;D

      Never underestimate the power of human stupidity

      1 Reply Last reply Reply Quote 0
      • K
        kevindd992002
        last edited by

        @cmb:

        Reflection is what you're looking for.
        http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

        Is there a disadvantage of using NAT reflection though?

        1 Reply Last reply Reply Quote 0
        • G
          Gloom
          last edited by

          Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

          Never underestimate the power of human stupidity

          1 Reply Last reply Reply Quote 0
          • K
            kevindd992002
            last edited by

            @Gloom:

            Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

            Ah ok. And in that case, split-DNS would be the better choice?

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              IMO if you have the possibility to use split DNS, you should use it.
              It works even if your WAN is down.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • K
                kevindd992002
                last edited by

                @GruensFroeschli:

                IMO if you have the possibility to use split DNS, you should use it.
                It works even if your WAN is down.

                Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

                1 Reply Last reply Reply Quote 0
                • G
                  Gloom
                  last edited by

                  Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
                  No need to alter the public DNS server if you are running one.

                  Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

                  Never underestimate the power of human stupidity

                  1 Reply Last reply Reply Quote 0
                  • K
                    kevindd992002
                    last edited by

                    @Gloom:

                    Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
                    No need to alter the public DNS server if you are running one.

                    Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

                    I actually use pfsense as my local DNS server for my LAN clients. Hmmm, not sure how to implement what you mentioned. Is it the same as split-DNS?

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      @kevindd992002:

                      @GruensFroeschli:

                      IMO if you have the possibility to use split DNS, you should use it.
                      It works even if your WAN is down.

                      Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

                      If you have different internal servers but only one external name: They can't all have the same name.
                      If that is a requirement then you will have to go the NAT reflection way.

                      I for myself would set it up a like this:
                      teamspeak.domain.com
                      mail.domain.com
                      gallery.domain.com
                      etc.
                      From external they resolve all to the same ip (your WAN).
                      Internally they would all resolve to their respective server.

                      The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
                      Go to "Services: DNS forwarder"
                      Add in the "Host Overrides" list below your domains you want to redirect locally.

                      (example from my home-setup:
                      m may.nu  10.0.8.210
                      webserver m.may.nu  10.0.8.210
                      c  m.may.nu  10.0.8.220
                      owncloud  m.may.nu  10.0.8.220
                      files  m.may.nu  10.0.8.230

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • K
                        kevindd992002
                        last edited by

                        @GruensFroeschli:

                        @kevindd992002:

                        @GruensFroeschli:

                        IMO if you have the possibility to use split DNS, you should use it.
                        It works even if your WAN is down.

                        Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

                        If you have different internal servers but only one external name: They can't all have the same name.
                        If that is a requirement then you will have to go the NAT reflection way.

                        I for myself would set it up a like this:
                        teamspeak.domain.com
                        mail.domain.com
                        gallery.domain.com
                        etc.
                        From external they resolve all to the same ip (your WAN).
                        Internally they would all resolve to their respective server.

                        The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
                        Go to "Services: DNS forwarder"
                        Add in the "Host Overrides" list below your domains you want to redirect locally.

                        (example from my home-setup:
                        m may.nu  10.0.8.210
                        webserver m.may.nu  10.0.8.210
                        c  m.may.nu  10.0.8.220
                        owncloud  m.may.nu  10.0.8.220
                        files  m.may.nu  10.0.8.230

                        Ahh, makes sense. So I have to make multiple dynamic DNS entries for each internal server.

                        I did try to use NAT reflection and it worked. What is its disadvantage compared to split-DNS?

                        1 Reply Last reply Reply Quote 0
                        • G
                          Gloom
                          last edited by

                          Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
                          Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

                          I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

                          Never underestimate the power of human stupidity

                          1 Reply Last reply Reply Quote 0
                          • K
                            kevindd992002
                            last edited by

                            @Gloom:

                            Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
                            Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

                            I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

                            Ah ok, I understand. This is only for a small home setup so I guess I'd be better off to just enable NAT reflection. Thanks!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.