Help with making LAN behave same as WAN

chpalmer

LAN traffic meant for other clients on the same LAN never touch the firewall and thus cannot be controlled by anything you configure there.

Derelict

SEE ALSO: NAT Reflection

eangulus

@chpalmer I understand that in normal circumstances, but what about via a domain name?

Example, we run mydomain.com, with it setup in HA Proxy. If you hit mydomain.com then it goes to the router ip. Just that from external it hits the WAN IP but internal thru unbound it hits the pfsense IP.

eangulus

@Derelict said in Help with making LAN behave same as WAN:

NAT Reflection

Have been reading that too, but the docs state its best to use split DNS. So not sure whether best practice to use NAT reflection.

Derelict

Yes, Split DNS is the better way to go in general but you cannot translate a port with Split DNS unless, perhaps, the application uses SRV records.

chpalmer

@eangulus said in Help with making LAN behave same as WAN:

@chpalmer I understand that in normal circumstances, but what about via a domain name?

You did not mention that so I did not assume. :)

Split DNS is the better way to go in general but you cannot translate a port with Split DNS unless, perhaps, the application uses SRV records.

Which goes back to my comment eangulus because LAN devices do not communicate with each other through the router.. I guess I should qualify this though due to your updated information, by referring to Derelicts comment above and say - "Unless you use NAT reflection and use the DNS name".

eangulus

OK, so to clarify.

I point the domain to the pfSense WAN IP, then handle its sub-domains etc using HAProxy and have NAT Reflection turned on.

Then I should be able to access the domain via LAN or WAN, even when the WAN goes down (and obviously only can access via LAN not remotely).

Looking at the NAT options under advanced, what would I need here? Pure or Proxy?

Derelict

I handle that by using split DNS.

I tell the HAproxy frontend to listen on a localhost VIP

I port forward the WAN address to that VIP. Outside DNS queries get the WAN address.

Inside hosts get the localhost VIP when they resolve the names.

Works great.

NAT reflection is almost never the best solution.

eangulus

@Derelict Thanks for that method, I never wanted to use NAT Refelection but was thinking it was my only choice.

Derelict

I did it this way because I grew weary of configuring ACME on the various servers.

This way I SSL offload and pfSense handles all the ACME for all of the domains.

Yes, the HAproxy to backend comms are in-the-clear but if someone is sniffing that I'm already owned. Bad.