How to redirect LAN traffic going to WAN IP to LAN ip
-
I have a firewall with pfsense version 1.2.3-RC1.
currently I need to set up a custom DNS server to make internal calls to domain names go to the correct LAN ip.
I want to get rid of the DNS server and redirect using the firewall.so instead of having A records with the local IP addresses in my own DNS server I'd just like the firewall to redirect traffic coming from LAN going to the WAN IP to the internal LAN ip instead.
So the A Record from any outside DNS works on LAN aswell.
I've read that I have to set up an outbound NAT rule, but there is no option to set a target internal address.how can I do that?
I did not set up the firewall and don't really know what to look for.
-
1.2.3-RC1??? Wow. I have never worked on a version so old. Is there a DNS Forwarder that will allow you to add host overrides that redirect to their LAN equivalents?
-
Why would you be running such an old version.. And the RC1 to boot??? I would say step one get current. The what you want is a simple host over ride. 2 seconds to do.
-
Sadly I do not have control over it, some third party installed this years ago before I joined the company and no one is allowed to touch it or change anything.
The whole thing was escalated by management who were confused when a specific domain didn't work because someone forgot to add it to our DNS server.
It worked outside the network, but not inside our network.Since we now have a lot of domain names, and each has to be added to our DNS server to work internally, I thought redirecting requests going to our external IP to the internal IP equivalent instead would be easier, since they are a lot less in numbers.
@KOM:
1.2.3-RC1??? Wow. I have never worked on a version so old. Is there a DNS Forwarder that will allow you to add host overrides that redirect to their LAN equivalents?
We have a DNS server, but each domain name has to be added separately everytime we get a new one.
Why would you be running such an old version.. And the RC1 to boot??? I would say step one get current. The what you want is a simple host over ride. 2 seconds to do.
Host override would require adding each hostname separately again, what we currently do with our DNS server.
-
"no one is allowed to touch it or change anything."
That is your #1 problem right there. 1.2.3 RC1
This should be fixed first.. Then you can work out doing nat reflection if you want for all your outside domains to reflect back in without having to add specific entries for each public fqdn.
-
We have a DNS server, but each domain name has to be added separately everytime we get a new one.
This is actually the better way to do it. NAT Reflection is a hack. I would just add the domain to DNS and point it to the LAN IP and be done with it instead of fiddling with NAT Reflection.
-
^ agreed, but seems he can not touch his router anyway.. So I don't get how doing a reflection or forward is not touching? ;)
For F sake 1.2.3 was released 2009-12-10, so your on RC1 of that which means its even older.. JFC dude really come on 5+ year old firewall software – update it!!! Your little problem of not wanting to actually manage your name space is minor to running your firewall/router code on RC of version that was released back in 2009 for F sake!!
-
Ohwell, I guess we'll stick to the DNS server then.
I'll ask management to let me upgrade it.
I have my doubts I'll get permission though, seeing as we still have some windows 2000 servers running in production.Thanks for the replies.
-
Make sure you let them know its not an "upgrade" of that hardware.. You would swap in new hardware and new version of pfsense. So for your change control you put in new, if doesn't work you reconnect old – no harm no foul.
I can understand the don't fix what is not broken mentality... But come on 5+ year old security software is not valid security.. Do you not update your antivirus dats because it would be a change?
-
I'll ask management to let me upgrade it.
Management are the very last people who should be making decisions about computer/network security. They need to let the people do their jobs and get out of the way. As John said, the very fact that these people don't want you to touch an ancient, beta-level firewall indicates they are not competent to make this decision in the first place. Good luck to you. We've all been in this situation where morons are directing the smart people to do dumb things.
-
I can understand the don't fix what is not broken mentality…
Not even applicable here. It actually IS heavily broken.
-
^ sing it Amen!!!
All management should approve is when you can have a window for down time, which I would assume would be off hours. You test before, swap in new one, test after. If works your done. If tests do not validate that everything is working then you connect the old one back and go back to the drawing board to what went wrong.
This is a no brainer sort of update.. Your not doing in place software upgrade where something could crash and burn the current config and setup.
Go over all the advantages of the update. Big one is that you could get support from pfsense if need be - since 1.2.3 is no longer supported even.
https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD
You could put in a HA setup, what exactly is the current plan if that hardware died or software crashed? There has been so many enhancements from 1.2.3 to current..
Shoot 1.2.3 was using freebsd 7.2 that clearly is no longer even supported by freebsd
https://www.freebsd.org/security/ -
Just today my boss decides to argue with me. He knows nothing, but like a lot of managers, he's The World's Smartest Man, and you aren't right unless he agrees with you.
Today's gem was about VoIP. We are looking at switching from RingCentral to another service. He is arguing with me that the new service should just work as long as I give them the MAC addresses of the phones. When I tell him that that isn't enough and that the phones need to know where to download their manifest from, he starts to argue. He knows nothing. He thinks you can route over the Internet based only on MAC address into a private LAN. I tried to explain that it's like giving your employee a unique employee number, and then trying to locate that employee anywhere in the world just based on the employee number. He didn't understand and continued to argue. Then, like he always does, he goes away for awhile to research how he is right and I am wrong. Inevitably, he finds out he was wrong and it's never mentioned again because important, arrogant, know-it-all assholes aren't allowed to admit mistakes. I feel like Quincy M.E. sometimes. Quincy is right 3000 times in a row, but the next case has everyone doubting him as usual (even though he's always right).
