NAT LOOPBACK

telvenes · Oct 25, 2016, 10:06 PM

Let's say I have a VLAN 10 where it is servers that host multiple websites.

I also have one VLAN 100 which is one public wireless internet.

with these rules none of the users as VLAN 100 get in on the websites that is located on VLAN 10.

although I have enabled PURE NAT, how can we fix this?

Protocol Source Port Destination Port Gateway Queue Schedule

IPv4 * VLAN_Net * VLAN_Address * * None
IPv4 * * * This Firewall * * None
IPv4 * VLAN_Net * !rfc1918 * * None

JKnott · Oct 25, 2016, 10:13 PM

You have to set up routing between the VLANs.

telvenes · Oct 25, 2016, 10:40 PM

Can you please tell me how?

cant i force trafic to go to internet first than inside again?

telvenes · Oct 25, 2016, 10:57 PM

Do not completely understand why I cant search the site www.example.com from VLAN 100 when I can do it from a different network.

What has become nat out in internet suppose to be available on the local network as well.

KOM · Oct 25, 2016, 10:58 PM

Turn off NAT Reflection entirely and, instead, add an A record to two to your DNS so that the public FQDN of the web servers resolves to the internal IP address. This is Split DNS. Then add a rule on the VLAN100 interface that allows it to access just those servers web ports on VLAN10.

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

telvenes · Oct 26, 2016, 12:04 AM

@KOM:

Turn off NAT Reflection entirely and, instead, add an A record to two to your DNS so that the public FQDN of the web servers resolves to the internal IP address. This is Split DNS. Then add a rule on the VLAN100 interface that allows it to access just those servers web ports on VLAN10.

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Correct me if I'm wrong, for each server I should NAT to Internet I have to go through all VLAN to create rules for them to get access to servers that already are on the internet?

The thing is that this is only an example of VLANS, there are plans that it will come very many VLAN and servers/clients gradually so it sounds like it may be difficult to keep up with maintenance

telvenes · Oct 26, 2016, 12:25 AM

Hello again, tested what you said I must do now. I understand how you want me to do this. But hope you find another way.

I have 20 Virtual IP with alot of rules, and for every VLAN in make I literally have to dublicate NAT settings into Rules for each VLAN?

telvenes · Oct 26, 2016, 12:35 AM

screenshot.

So this setup works. but i dont understand why i cant add this automaticly

KOM · Oct 26, 2016, 3:07 PM

Correct me if I'm wrong, for each server I should NAT to Internet I have to go through all VLAN to create rules for them to get access to servers that already are on the internet?

Yes. It's definitely more work, but it is the better, more elegant solution. If for whatever reason you don't want to do that then your only other option is NAT Reflection from that same link I gave you.