Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange behaviour in NAT

    Scheduled Pinned Locked Moved NAT
    12 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks

      1 Reply Last reply Reply Quote 0
      • P
        pfguy
        last edited by

        @KOM:

        Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks

        just as i thought …
        haiizzz ... more work to do just to achieve a simple job! What is the benefit of restricting LAN clients just simply go out to Internet to reach that Internet host name?
        Very tedious process !

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Running split DNS isn't that hard unless you have a lot of internal hosts you need to connect to.

          1 Reply Last reply Reply Quote 0
          • P
            pfguy
            last edited by

            @KOM:

            Running split DNS isn't that hard unless you have a lot of internal hosts you need to connect to.

            yes i got like over 10 internal servers that users need access over Internet.
            Its not hard, but tedious, and WHAT IS THE POINT OF DOING THIS? should the fw just bloody allow LAN connect to them like any other internet addr?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                If you really want to use public names without split DNS then you can try playing with NAT Reflection.  Try PureNAT first as I think I remember it being the recommended option.

                btw 10 servers is nothing.  If you were talking many dozens or so with servers coming and going constantly then it might be a nuisance.  Otherwise, just stick your 10 servers in the pfSense Forwarder or Resolver host override and be done with it if you're using pfSense for DNS.  If not, just do the same thing in your other DNS server.  How long can it take to add 10 A records?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  OMG! Maintaining a network properly might amount to someone having to do some work!

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfguy
                    last edited by

                    @doktornotor:

                    Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

                    What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address. Technically. Whatever behind it, just allow the client go to that address and if that addr happens to point back to another host in the same network, so be it. Why other firewall allow it but pfsense require extra steps here?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Because other routers behave improperly out of the box.  pfSense requires the user to check a box to get the behavior.

                      If you don't want to do it right, go here:

                      System > Advanced > Firewall/NAT Tab > Network Address Translation

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        @pfguy:

                        @doktornotor:

                        Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

                        What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address

                        Ugh… You just don't get it. It's NOT running on your pfSense box. Don't point clients there on LAN, simple. Point them to LAN. Stop playing ping-ping with packet headers. There's no need for the traffic to ever hit the firewall box, at all.

                        (BTW, most "other firewall" just don't have any NAT reflection at all...)

                        1 Reply Last reply Reply Quote 0
                        • P
                          pfguy
                          last edited by

                          @doktornotor:

                          @pfguy:

                          @doktornotor:

                          Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

                          What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address

                          Ugh… You just don't get it. It's NOT running on your pfSense box. Don't point clients there on LAN, simple. Point them to LAN. Stop playing ping-ping with packet headers. There's no need for the traffic to ever hit the firewall box, at all.

                          (BTW, most "other firewall" just don't have any NAT reflection at all...)

                          ok, fair enough.. argument accepted ;)
                          thanks

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.