Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to address WAN addresses from VLANs

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    7 Posts 4 Posters 818 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      UnS3eN
      last edited by UnS3eN

      I have multiple WAN IPs set up as aliases and have public services running on those. For some reason, I am only able to access these services externally, but not from the VLANS using the same FQDNs.

      NAT and filter rules in place, to froward the ports, and they work fine since I can access the services from external machines.

      VLANS have Pass any from any to any rules set up. I can see request leaving the VMs and hitting the VLAN interface, but then nothing.

      Can't figure out why the traffic is being blocked.

      : tcpdump -i igb3.201 -vvv | grep x.x.x.107.ms-sql-s
tcpdump: listening on igb3.201, link-type EN10MB (Ethernet), capture size 262144 bytes
   172.20.31.13.60488 > x.x.x.107.ms-sql-s: Flags [SEW], cksum 0xc619 (correct), seq 2423227843, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
   172.20.31.13.60488 > x.x.x.107.ms-sql-s: Flags [SEW], cksum 0xc619 (correct), seq 2423227843, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
   172.20.31.13.60488 > x.x.x.107.ms-sql-s: Flags [S], cksum 0xdae8 (correct), seq 2423227843, win 8192, options [mss 1460,nop,nop,sackOK], length 0
   172.20.31.20.59147 > x.x.x.107.ms-sql-s: Flags [SEW], cksum 0xd420 (correct), seq 2993969901, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
   172.20.31.20.59147 > x.x.x.107.ms-sql-s: Flags [SEW], cksum 0xd420 (correct), seq 2993969901, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
   172.20.31.20.59147 > x.x.x.107.ms-sql-s: Flags [S], cksum 0xe8ef (correct), seq 2993969901, win 8192, options [mss 1460,nop,nop,sackOK], length 0

      I have the same rules set up for ports 80/443 on this WAN address and have the same issue. Can access the sites from within the VLANS.

      Inter-VLAN traffic is absolutely fine.

      NAT rule:

      : pfctl -sn | grep ms-sql-s
rdr on igb0 inet proto tcp from any to x.x.x.107 port = ms-sql-s -> 172.20.30.7

      Filter Rule:

      pass in quick on igb0 reply-to (igb0 x.x.x.105) inet proto tcp from any to 172.20.30.7 port = ms-sql-s flags S/SA keep state label "USER_RULE: S1_MSSQL"
      KOMK V 2 Replies Last reply Reply Quote 0
      • KOMK
        KOM @UnS3eN
        last edited by

        @uns3en To access servers via FQDN from LAN, you will either need to enable NAT Reflection or set up split DNS that resolves those hosts to their local IPs instead of public IP. I assume these work when accessed by their local IP?

        U 1 Reply Last reply Reply Quote 0
        • V
          viragomann @UnS3eN
          last edited by

          @uns3en said in Unable to address WAN addresses from VLANs:

          NAT and filter rules in place

          On WAN, I guess, but presumably not on the internal interfaces.

          Best practice is to add host overrides to your internal DNS for your FQDNs.

          Otherwise you have to enable NAT reflection to get the WAN rule applied to the internal interfaces. This can either be done in each NAT individually rule or globally in the NAT section of System > Advanced options.

          1 Reply Last reply Reply Quote 0
          • U
            UnS3eN @KOM
            last edited by

            @kom said in Unable to address WAN addresses from VLANs:

            assume these work when accessed by their local IP?

            Indeed they are. NAT reflection is set to "Pure". I was missing Enable automatic outbound NAT for Reflection.

            Thanks!

            KOMK 1 Reply Last reply Reply Quote 0
            • KOMK
              KOM @UnS3eN
              last edited by

              @uns3en Honestly, a better way to do it is to add a couple of host overrides to unbound that resolve these FQDNs to their local IPs. NAT reflection is kind of a hack.

              U 1 Reply Last reply Reply Quote 0
              • U
                UnS3eN @KOM
                last edited by UnS3eN

                @kom You're right that's a better way of doing that. Right now I just need to get things working again.

                I'll have to compile a list of all of those FQDNs later and set the overrides.

                Thanks for the pointer.

                Edit: Just remembered why I never did that originally. A lot of these are web apps served from the same hosts on different ports, and I use an reverse proxy to serve them over 443.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @UnS3eN
                  last edited by

                  @uns3en said in Unable to address WAN addresses from VLANs:

                  and I use an reverse proxy to serve them over 443.

                  Ok - why is that a problem then? Your reverse proxy works just fine like that be it you nat reflect or hit it directly locally. Or if you ran your reverse proxy on pfsense, no need for nat reflection or host override, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.