Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allowing access to WAN ports from LAN side

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 344 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zak McKracken
      last edited by

      Hi,

      I don't know if this is a Firewall, a NAT or a completely different topic, and I wouldn't know how it's generally named, so please let me describe it.

      My pfSense box has it's WAN port connected directly to the Internet. It receives a public IP address for it from my ISP using DHCP. Even thought it is DHCP, I always receive the same IP address, so no problem there. This IP address is globally DNS registered, so mydomain.eu resolves to this IP address.

      The LAN port is connected to my local network, which uses a class B IP range, 172.xxx.yyy.yyy. I'm running a local DNS resolver with a local domain: mydomain.local.

      I have a couple of IP security cameras in my house, configured with a statically mapped DHCP entries and corresponding DNS entries. I'm sorry; I may be using the wrong terminology here. For example, my front camera is accessible on http://speeddome-front.mydomain.local (and sometimes also under http://speeddome-front but that's a future question) on the LAN.

      Now I have created a NAT entry and a corresponding rule to allow access to this camera from the Internet at http://mydomain.eu:8088 and this works almost flawlessly. For the flaws I blame my ISP, so no problems here.

      However, my camera is not accessible on my LAN under http://mydomain.eu:8088. On my LAN it is only accessible under http://speeddome-front.mydomain.local. Does anybody know why? And what setting I need to make this possible? The problem I'm trying to solve is universal access to my cameras on my phone, regardless whether I'm in- or outside the house.

      Thanks a lot in advance.

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        1 Reply Last reply Reply Quote 0
        • SammyWooS
          SammyWoo
          last edited by

          Because mydomain.eu is a WAN address.  When you are doing INTRAnet traffic, there is no need to go through the "WAN".  So you want to skip WAN altogether, how?  simple.  Tell your DNS Resolver, add an static entry that says mydomain.eu=CamaraStaticIP.

          1 Reply Last reply Reply Quote 0
          • Z
            Zak McKracken
            last edited by

            Thank you, guys. Grimson's answer was what I was looking for. Apparently it's called NAT reflection, and it is not the ideal solution. The better alternative is Split DNS, but that won't work if the WAN port differs from the port on the LAN server. In my case, I have a number of security camera servers with web pages on port 80, mapped on WAN ports 8080 and up.

            So I have enables NAT reflection as described in the linke manual and it works like a charm. Today I learned something new. Thanks again!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.