Enabling loopback functionalty

Gloom · Jan 25, 2013, 12:09 PM

I really should make sure I've had a second morning coffee before posting. I completely missed the bit about accessing the external address from inside the LAN ;D

kevindd992002 · Jan 25, 2013, 12:53 PM

@cmb:

Reflection is what you're looking for.
http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Is there a disadvantage of using NAT reflection though?

Gloom · Jan 25, 2013, 1:03 PM

Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

kevindd992002 · Jan 25, 2013, 1:04 PM

@Gloom:

Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

Ah ok. And in that case, split-DNS would be the better choice?

GruensFroeschli · Jan 25, 2013, 1:26 PM

IMO if you have the possibility to use split DNS, you should use it.
It works even if your WAN is down.

kevindd992002 · Jan 25, 2013, 1:39 PM

@GruensFroeschli:

IMO if you have the possibility to use split DNS, you should use it.
It works even if your WAN is down.

Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

Gloom · Jan 25, 2013, 2:16 PM

Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
No need to alter the public DNS server if you are running one.

Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

kevindd992002 · Jan 25, 2013, 2:19 PM

@Gloom:

Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
No need to alter the public DNS server if you are running one.

Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

I actually use pfsense as my local DNS server for my LAN clients. Hmmm, not sure how to implement what you mentioned. Is it the same as split-DNS?

GruensFroeschli · Jan 25, 2013, 2:25 PM

@kevindd992002:

@GruensFroeschli:

IMO if you have the possibility to use split DNS, you should use it.
It works even if your WAN is down.

Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

If you have different internal servers but only one external name: They can't all have the same name.
If that is a requirement then you will have to go the NAT reflection way.

I for myself would set it up a like this:
teamspeak.domain.com
mail.domain.com
gallery.domain.com
etc.
From external they resolve all to the same ip (your WAN).
Internally they would all resolve to their respective server.

The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
Go to "Services: DNS forwarder"
Add in the "Host Overrides" list below your domains you want to redirect locally.

(example from my home-setup:
m may.nu 10.0.8.210
webserver m.may.nu 10.0.8.210
c m.may.nu 10.0.8.220
owncloud m.may.nu 10.0.8.220
files m.may.nu 10.0.8.230

kevindd992002 · Jan 25, 2013, 2:29 PM

@GruensFroeschli:

@kevindd992002:

@GruensFroeschli:

IMO if you have the possibility to use split DNS, you should use it.
It works even if your WAN is down.

Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

If you have different internal servers but only one external name: They can't all have the same name.
If that is a requirement then you will have to go the NAT reflection way.

I for myself would set it up a like this:
teamspeak.domain.com
mail.domain.com
gallery.domain.com
etc.
From external they resolve all to the same ip (your WAN).
Internally they would all resolve to their respective server.

The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
Go to "Services: DNS forwarder"
Add in the "Host Overrides" list below your domains you want to redirect locally.

(example from my home-setup:
m may.nu 10.0.8.210
webserver m.may.nu 10.0.8.210
c m.may.nu 10.0.8.220
owncloud m.may.nu 10.0.8.220
files m.may.nu 10.0.8.230

Ahh, makes sense. So I have to make multiple dynamic DNS entries for each internal server.

I did try to use NAT reflection and it worked. What is its disadvantage compared to split-DNS?

Gloom · Jan 25, 2013, 2:45 PM

Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

kevindd992002 · Jan 25, 2013, 2:49 PM

@Gloom:

Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

Ah ok, I understand. This is only for a small home setup so I guess I'd be better off to just enable NAT reflection. Thanks!