• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Enabling loopback functionalty

NAT
4
15
17.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gloom
    last edited by Jan 25, 2013, 12:09 PM

    I really should make sure I've had a second morning coffee before posting. I completely missed the bit about accessing the external address from inside the LAN  ;D

    Never underestimate the power of human stupidity

    1 Reply Last reply Reply Quote 0
    • K
      kevindd992002
      last edited by Jan 25, 2013, 12:53 PM

      @cmb:

      Reflection is what you're looking for.
      http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

      Is there a disadvantage of using NAT reflection though?

      1 Reply Last reply Reply Quote 0
      • G
        Gloom
        last edited by Jan 25, 2013, 1:03 PM

        Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

        Never underestimate the power of human stupidity

        1 Reply Last reply Reply Quote 0
        • K
          kevindd992002
          last edited by Jan 25, 2013, 1:04 PM

          @Gloom:

          Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

          Ah ok. And in that case, split-DNS would be the better choice?

          1 Reply Last reply Reply Quote 0
          • G
            GruensFroeschli
            last edited by Jan 25, 2013, 1:26 PM

            IMO if you have the possibility to use split DNS, you should use it.
            It works even if your WAN is down.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • K
              kevindd992002
              last edited by Jan 25, 2013, 1:39 PM

              @GruensFroeschli:

              IMO if you have the possibility to use split DNS, you should use it.
              It works even if your WAN is down.

              Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

              1 Reply Last reply Reply Quote 0
              • G
                Gloom
                last edited by Jan 25, 2013, 2:16 PM

                Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
                No need to alter the public DNS server if you are running one.

                Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

                Never underestimate the power of human stupidity

                1 Reply Last reply Reply Quote 0
                • K
                  kevindd992002
                  last edited by Jan 25, 2013, 2:19 PM

                  @Gloom:

                  Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
                  No need to alter the public DNS server if you are running one.

                  Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

                  I actually use pfsense as my local DNS server for my LAN clients. Hmmm, not sure how to implement what you mentioned. Is it the same as split-DNS?

                  1 Reply Last reply Reply Quote 0
                  • G
                    GruensFroeschli
                    last edited by Jan 25, 2013, 2:25 PM Jan 25, 2013, 2:23 PM

                    @kevindd992002:

                    @GruensFroeschli:

                    IMO if you have the possibility to use split DNS, you should use it.
                    It works even if your WAN is down.

                    Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

                    If you have different internal servers but only one external name: They can't all have the same name.
                    If that is a requirement then you will have to go the NAT reflection way.

                    I for myself would set it up a like this:
                    teamspeak.domain.com
                    mail.domain.com
                    gallery.domain.com
                    etc.
                    From external they resolve all to the same ip (your WAN).
                    Internally they would all resolve to their respective server.

                    The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
                    Go to "Services: DNS forwarder"
                    Add in the "Host Overrides" list below your domains you want to redirect locally.

                    (example from my home-setup:
                    m may.nu  10.0.8.210
                    webserver m.may.nu  10.0.8.210
                    c  m.may.nu  10.0.8.220
                    owncloud  m.may.nu  10.0.8.220
                    files  m.may.nu  10.0.8.230

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • K
                      kevindd992002
                      last edited by Jan 25, 2013, 2:29 PM

                      @GruensFroeschli:

                      @kevindd992002:

                      @GruensFroeschli:

                      IMO if you have the possibility to use split DNS, you should use it.
                      It works even if your WAN is down.

                      Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

                      If you have different internal servers but only one external name: They can't all have the same name.
                      If that is a requirement then you will have to go the NAT reflection way.

                      I for myself would set it up a like this:
                      teamspeak.domain.com
                      mail.domain.com
                      gallery.domain.com
                      etc.
                      From external they resolve all to the same ip (your WAN).
                      Internally they would all resolve to their respective server.

                      The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
                      Go to "Services: DNS forwarder"
                      Add in the "Host Overrides" list below your domains you want to redirect locally.

                      (example from my home-setup:
                      m may.nu  10.0.8.210
                      webserver m.may.nu  10.0.8.210
                      c  m.may.nu  10.0.8.220
                      owncloud  m.may.nu  10.0.8.220
                      files  m.may.nu  10.0.8.230

                      Ahh, makes sense. So I have to make multiple dynamic DNS entries for each internal server.

                      I did try to use NAT reflection and it worked. What is its disadvantage compared to split-DNS?

                      1 Reply Last reply Reply Quote 0
                      • G
                        Gloom
                        last edited by Jan 25, 2013, 2:45 PM

                        Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
                        Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

                        I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

                        Never underestimate the power of human stupidity

                        1 Reply Last reply Reply Quote 0
                        • K
                          kevindd992002
                          last edited by Jan 25, 2013, 2:49 PM

                          @Gloom:

                          Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
                          Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

                          I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

                          Ah ok, I understand. This is only for a small home setup so I guess I'd be better off to just enable NAT reflection. Thanks!

                          1 Reply Last reply Reply Quote 0
                          13 out of 15
                          • First post
                            13/15
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.