Need to open a nat from lan to lan via wan

assistenzanet95

Hello everyone, I need to configure pfsense so that I can access from the lan to a service on the lan via wan. I know it is twisted but in this way I would have only one link to give to the customer to access the service

currently I managed to configure from captive to lan via wan, but reporting the same configuration on the lan does not work.

Thanks!

kiokoman

you need nat reflection
https://docs.netgate.com/pfsense/en/latest/book/nat/nat-reflection.html

assistenzanet95

I tried to create a NAT with this configuration but it doesn't work:
Lan is 192.168.3.0/24

Interface: LAN
Source: any
Source port: any

Destination: WAN Address
Dest port: 9080
redirect ip: 192.168.3.200
redirect ip: 9080

Nat Reflection: Pure NAT

kiokoman

"Enable automatic outbound NAT for Reflection" box under System > Advanced > Firewall.
?

assistenzanet95

Yes, already set

kiokoman

ah i see now, interface should be wan not lan maybe compare with my screenshot, i've made a test and it work

Rico

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html
Better use Split DNS...

-Rico

kiokoman

yes you are right, but if it's only one port it's not a big deal, personally i use bind with split view for that but the configuration is somewhat less easy

assistenzanet95

@kiokoman
this is mine, i've left Any Source because i need to access from internet also

Screenshot_2020-03-03 netsistemi localdomain - Firewall NAT Port Forward Edit.png

kiokoman

i don't see anything wrong here
i can only give you some point to check as i don't know why it's not working for you
do you have a corresponding Firewall Rules under the WAN interface?
overlapping NAT rules maybe?
wrong firewall rules order?
does LAN have a rule that permit to go out using port 9080 ?
you didn't mentioned what kind of service is it but is your service tcp only ?
anything under firewall log ?
does it work if you try from the internet or are you only trying from the lan side?

if nothing work maybe try Method 2: Split DNS

johnpoz

@assistenzanet95 said in Need to open a nat from lan to lan via wan:

I know it is twisted but in this way I would have only one link to give to the customer to access the service

The url you give to some client has zero to do with if you do nat reflection or not.

The correct solution when your local to the service that is behind a nat firewall is to resolve whatever that fqdn is to the local IP and not the public one.

kiokoman

uhm he didn't mentioned url but link, if he is trying with url instead of ip than yes you are right, you can't do that with nat reflection but only with split dns

johnpoz

url or link - same thing.. What do you think a link is?

If he is giving the client an IP - he is doing it freaking WRONG!!! Period!

assistenzanet95

@johnpoz
the client using only public (Static) IP not URL

@kiokoman
i'll attach wan and lan rules

Screenshot_2020-03-03 netsistemi localdomain - Firewall Rules WAN.png

Screenshot_2020-03-03 netsistemi localdomain - Firewall Rules LAN.png

kiokoman

http://192.168.1.1/index.html isn't it a link ?
[root@tristan]# ip link show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

i don't see any url here but i don't want to go against my master if you say it's not

johnpoz

@assistenzanet95 said in Need to open a nat from lan to lan via wan:

the client using only public (Static) IP not URL

That is just plain MORONIC!!! Sorry but it is!!!

Give your client a public fqdn vs an IP... That way if it ever has to change you do not contact all your clients (even if only 1) and say hey that link is now http://y.y.y.y vs http://x.x.x.x

assistenzanet95

@johnpoz said in Need to open a nat from lan to lan via wan:

That is just plain MORONIC!!! Sorry but it is!!!

i know but is a local service and the director of the structure want to access from external location also

kiokoman

remove block bogon and block private network from the WAN interface ..
they are pretty much useless anyway

johnpoz

@assistenzanet95 said in Need to open a nat from lan to lan via wan:

want to access from external location also

Then give them a FQDN... A domain can cost as little as $1, shit free if your open for using one of the hundreds if not 1000s of free domains you can leverage.

Average lets call it 10$ for you domain name a YEAR... there is one thing if this your buddy and you want him to access your ftp server so you can exchange anime or something.. But this is a client - how are you doing any sort of business at all and not have a domain to use?

assistenzanet95

@johnpoz said in Need to open a nat from lan to lan via wan:

Then give them a FQDN... A domain can cost as little as $1, shit free if your open for using one of the hundreds if not 1000s of free domains you can leverage.
Average lets call it 10$ for you domain name a YEAR... there is one thing if this your buddy and you want him to access your ftp server so you can exchange anime or something.. But this is a client - how are you doing any sort of business at all and not have a domain to use?

Ok i know this, actually i manage over 50 domains for various customer, and obviously give them a domain to do this is the most correct solutions, but my question is why if i try to access to the service running on lan through public ip from the captive network it works, but if i try lan service through public ip from lan it doesn't work.

Currently the customers would not understand why it would have to buy a domain to use something he can use normally from the guest network