[resolved]accessing internal site from external IP

garyd9 · Aug 1, 2016, 5:18 PM

I'm experiencing unexpected behavior with pfSense when trying to access something from inside the NAT using an external IP that points back to the NAT.. (That's confusing, isn't it?) I'm not sure if this is a firewall issue or a routing issue. (Either way, I'm sure the issue is because of something I don't understand or don't have configured properly.)

My LAN uses 192.168.1.0 for a network address. Inside my LAN, I have an HTTPS server on 192.168.1.100. I then configured a port forward so port 443 on the WAN interface forwards to the internal 192.168.1.100 port 443. This actually created two rules:

Under firewall->NAT, I see "WAN, TCP, *, *, WAN Address, 443, 192.168.1.100, 443

Under firewall->rules->WAN, I see "(checkmark), xxx, IPv4, TCP, *, *, 192.168.1.100, 443, *, none, , NAT

For the purpose of this explanation, assume my global IP number is 73.73.73.73.

When I'm external to my LAN, and attempt to go to my global IPv4 address in a web browser (https://73.73.73.73), everything works as expected. The port forward sends the session to the server on 192.168.1.100.

HOWEVER, when I'm on a machine internal to the LAN (behind pfsense), and I go to "https://73.73.73.73", I instead end up on the pfSense management web UI.

My expectation is that, being I'm using an EXTERNAL IP address, that the request would get out to the interface on the pfsense box that has an IPv4 of 73.73.73.73 and then come back in under the WAN interface (and therefore be subject to the port forwarding.)

Here's my (edited) routing table as shown in pfSense… igb0 is my WAN interface, igb1 is the interface of the network that 192.168.1.100 is on, and lagg0_vlan5 is the interface of the network I'm experiencing the issue on:

(Obviously, all these numbers are edited from their originals... so the mask on the WAN interface won't match. Also, please pardon the mix of vlans and non-vlans. I'm still in the process of setting all that up.)


default	73.73.73.1	UGS	150213	1500	igb0	
73.73.73.0/23	link#1	U	109032	1500	igb0	
73.73.73.73	link#1	UHS	0	16384	lo0	
127.0.0.1	link#8	UH	9853	16384	lo0	
192.168.1.0/24	link#2	U	9950785	1500	igb1	
192.168.1.1	link#2	UHS	0	16384	lo0	
192.168.5.0/24	link#11	U	9684502	1500	lagg0_vlan5	
192.168.5.1	link#11	UHS	0	16384	lo0

So… looking at this routing table, a request from 192.168.5.2 (vlan5) to 73.73.73.73 should into the line for 73.73.73.73 on the lo0 interface. Is the problem that the traffic is routing from lo0 instead of from igb0?

How can I fix this?

Thanks
Gary

KOM · Aug 1, 2016, 5:04 PM

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Nullity · Aug 1, 2016, 5:06 PM

Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

Do you employ any NAT loopback features?

garyd9 · Aug 1, 2016, 5:18 PM

@KOM:

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

That answers the question. Thank you.

@Nullity:

Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

I think so. ;) However, I never really did anything special to configure it, so I'm guessing either they applied the NAT at a different layer or they automatically did something similar to the "pure NAT" stuff described by the link above.

mrfibreoptic · Feb 6, 2024, 6:23 AM

@garyd9 Hi, did you figure this out? ive got the same issue, worked via my old router, can't figure out on my new PFSense router.

ZipleR · Jan 13, 2025, 9:18 AM

@mrfibreoptic I am sorry for replying to a quite old thread, not even sure how I got here. But I am a "historian" and can demystify ancient fables. (if you read cursive, the national archives has a job for you). I'd like to provide at least 1 solution that will solve this for people, so the thread is not a dead end.

This is a common situation that companies run into. They create a local domain called "AnyRandomCompany.com" and join all of their local computers to that domain and then later purchase the public domain which has the same name for their customers/public to access their web site.

Alot of times, the routing will work where they can access the External IP address that the public DNS records are pointing to, but in many other cases (depending on the router/firewall) they cannot.

If you find yourself in this situation, the best solution is to run your own Internal DNS server or forwarder.

A dedicated DNS server (such as PiHole) can have Static DNS entries created that will resolve BEFORE asking the public DNS servers. You can create the Internal DNS A record using the Internal (rather than the External/NAT) IP address.

Many Routers (some people call them Access Points/Modems) also have this capability. Some will call it DNS Forwarder others DNS Records. Some may even call them "Forward lookup zones". The key is to create a local DNS record that your internal hosts can resolve locally while the public DNS records are stored on public DNS servers.

If you only have a single computer or two on your network that need to use the private IP address (not the public one) then you can also modify your hosts file and add an entry for "123.123.123.123 AnyRandomCompany.com"

Hope this helps a few people in the future.