Routing between Networks behind different WAN IPs
-
@dabbelju007
Are you able to access the server by its internal IP?You can sniff the packets on LAN1 using Diagnotic > Packet Capture.
When trying to access from LAN2 you should see the packets here else well as the responds from the server. -
@viragomann
I have access to the server. If I take captures at all four interfaces (LAN2, WAN2, WAN1, LAN1) I do only see the request leaving LAN2 and nothing at the other captures. -
@dabbelju007 said in Routing between Networks behind different WAN IPs:
I do not want to allow traffic from LAN2 to LAN1 directly.
Why?? For what possible reason would you not just let lan2 talk to lan1 via your rule? Sending traffic out wan2 just to come in wan 1 gets you nothing other than non optimal traffic flow.
-
So you can access the server by its IP, but not via the WAN address.
@dabbelju007 said in Routing between Networks behind different WAN IPs:
If I take captures at all four interfaces (LAN2, WAN2, WAN1, LAN1) I do only see the request leaving LAN2 and nothing at the other captures.
As @johnpoz illustrated, the connection doesn't pass the WANs, so you cannot see the packets there.
On LAN2 you only see request packets to WAN1 and nothing else?
So the NAT reflection is probably not working.Do you use a hostname for accessing from outside. If, you can add a host override.
-
Thats whats I will do. I thought it must be possible the other way even if I produce unnecessary traffic.
But how can I use the public IP of WAN1 from LAN2 even if I route it directly? Would that be makeable by another NAT rule?
Background to my question is that I have users using the service from home. Sometimes they come into our office and are connected to LAN2 and want to use the same service.
Ok, if I would use DNS names I would know a way. But is it possible by using the public IP and a NAT Rule?
-
@dabbelju007 said in Routing between Networks behind different WAN IPs:
Would that be makeable by another NAT rule?
That's what NAT reflection should do for you automatically. It implies an invisible NAT rule.
But yeah, you may as well add a NAT rule manuelly to LAN2 if you want that.
source: WAN1 address
dest: server -
Local dns resolution is the whole point of split dns. When the is on some other network they would use the public IP and access via your port forward.
When they are on the site where the server is - the dns on the site would point the them to the local IP.
Where you run into a problem is if the client is not using your dns when they come to your site. And only resolve the public IP. This is where nat reflection would come into play. But the use of dual wan would complicate the use of nat reflection most likely. This should only be an issue if they were hard coding their dns vs using dhcp to get their dns, or they were using doh in their browsers, etc.
You could do maybe just a redirection on your lan 2 interface - if traffic hits lan 2 going to your wan 1 public 1.2.3.4 on port X, you just port forward that to server IP..
-
I would probably just use NAT reflection here if the requirement is only occasional.
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html#method-1-nat-reflection
Adding a bunch of custom rules is only going to cause you more maintenance time at some point in the future.
Steve
-
However, due to the Multi-WAN setup, maybe you need the NAT reflection with proxy mode.
-
I would expect Pure NAT to work. You wouldn't even need the auto-outbound rules since it's between two different internal interfaces. I would enable them anyway though to allow access fro the same interface if it's ever required.
Steve
-
@stephenw10
The strange thing, as the TO mentioned, he can access the server by its internal IP, but not by the WAN IP with NAT reflection in pure NAT mode.
So the rules must be okay, but the NAT reflection seems not to work. -
I don't actually see anywhere he said he enabled NAT reflection. I just see everyone suggesting it...
-
@dabbelju007 said in Routing between Networks behind different WAN IPs:
@viragomann Thanks for your advice.
Just for a test: Rule at LAN2 allows IPv4 any protocol to any destination. I am using IPv4 addresses.
The NAT Port Forward Rule @WAN1 Interface has NAT refelction enabled, as you said pure NAT.
It is still not working.
I know the Firewall Log, State Log and packet capture. Is there a way in pfSense to see in which steps this reuqest is handeled?
When I do the request and take a look into the firewall log I can see that there is an entry which "allows the request" out from LAN2. There is no entry for the NAT rule @WAN1 (logging in the rules is enabled).
What do I do wrong?
Thanks
Dabbelju@stephenw10
I did activate it. I will do some further testing today. -
Hi all,
sorry if I start bothering. But I really like pfSense and want to understand as much as possible.
I did do some further testing (NAT Reflection Enabled with "pure NAT" and "NAT + Proxy"). I did enable it under "System=>Advanced=>Firewall & NAT" as well as in the corresponding NAT rule @WAN1.
I did take traces at all involved interfaces (LAN2, WAN2, WAN1, LAN1, Server) in the different scenarios. The only point where I see the packets is @LAN2. Whatever pfSense does I should see it hitting the server which is not the case.
What I currently do not understand: I have enable the NAT reflection at @WAN1 NAT rule. How can NAT reflection do whatever it does when the traffic is not even hitting the Interface? Shouldn't there be a Rule allowing NAT reflection @LAN2 or @WAN2?
Is there any other way to do debugging appart from Traces, Firewall System Logs, State Logs?
I would expect at least to see the packets also @LAN1 or am I wrong?
-
Nat reflection is not going to work if your policy routing shoving it out a gateway.
If lan2 is trying to hit server in lan1, post up your rules you have on lan2
-
Yeah, you will need to have a firewall rule allowing traffic from LAN1 to the server in LAN2 to pass the reflected traffic without being routed to any gateway.
With NAT reflection enabled when a client on any internal subnet tries to hit the WAN2 IP on a port that is forwarded it actually hits a NAT rule that sends it to the target directly. Then it hits the firewall so a rule must exist to pass the redirected traffic.
Steve
-
Please find attached a screenshot of the rule @LAN2. I did wipe out my public ip but in the rule is the IP of WAN1.
GUESTLAN is my LAN2. In the firewall log I do see that it hits this rule.
How can I have a rule which is not routing the traffic to a gateway? It will either take the system default GW or the one I have configured in the advanced options of a rule.
-
If you don't have a gateway defined in a rule traffic will be routing according to the system routing table. That means it will go via the default gateway for an external destination but for a local subnet, LAN 2 here, it will be routed directly.
You need a firewall rule on LAN1 that allows traffic from the LAN1 subnet to the server IP in LAN2 above the policy routing rule there.
Steve
