• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[resolved]accessing internal site from external IP

Scheduled Pinned Locked Moved Firewalling
6 Posts 5 Posters 5.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    garyd9
    last edited by Aug 1, 2016, 5:18 PM Aug 1, 2016, 4:44 PM

    I'm experiencing unexpected behavior with pfSense when trying to access something from inside the NAT using an external IP that points back to the NAT..  (That's confusing, isn't it?)  I'm not sure if this is a firewall issue or a routing issue.  (Either way, I'm sure the issue is because of something I don't understand or don't have configured properly.)

    My  LAN uses 192.168.1.0 for a network address.  Inside my LAN, I have an HTTPS server on 192.168.1.100.  I then configured a port forward so port 443 on the WAN interface forwards to the internal 192.168.1.100 port 443.  This actually created two rules:

    Under firewall->NAT, I see "WAN,  TCP,  *,  *,  WAN Address,  443,  192.168.1.100, 443

    Under firewall->rules->WAN, I see "(checkmark), xxx, IPv4, TCP, *, *, 192.168.1.100, 443,  *, none, , NAT

    For the purpose of this explanation, assume my global IP number is 73.73.73.73.

    When I'm external to my LAN, and attempt to go to my global IPv4 address in a web browser (https://73.73.73.73), everything works as expected.  The port forward sends the session to the server on 192.168.1.100.

    HOWEVER, when I'm on a machine internal to the LAN (behind pfsense), and I go to "https://73.73.73.73", I instead end up on the pfSense management web UI.

    My expectation is that, being I'm using an EXTERNAL IP address, that the request would get out to the interface on the pfsense box that has an IPv4 of 73.73.73.73 and then come back in under the WAN interface (and therefore be subject to the port forwarding.)

    Here's my (edited) routing table as shown in pfSense…  igb0 is my WAN interface, igb1 is the interface of the network that 192.168.1.100 is on, and lagg0_vlan5 is the interface of the network I'm experiencing the issue on:

    (Obviously, all these numbers are edited from their originals... so the mask on the WAN interface won't match.  Also, please pardon the mix of vlans and non-vlans.  I'm still in the process of setting all that up.)

    
    default	73.73.73.1	UGS	150213	1500	igb0	
    73.73.73.0/23	link#1	U	109032	1500	igb0	
    73.73.73.73	link#1	UHS	0	16384	lo0	
    127.0.0.1	link#8	UH	9853	16384	lo0	
    192.168.1.0/24	link#2	U	9950785	1500	igb1	
    192.168.1.1	link#2	UHS	0	16384	lo0	
    192.168.5.0/24	link#11	U	9684502	1500	lagg0_vlan5	
    192.168.5.1	link#11	UHS	0	16384	lo0	
    
    

    So…  looking at this routing table, a request from 192.168.5.2 (vlan5) to 73.73.73.73 should into the line for 73.73.73.73 on the lo0 interface.  Is the problem that the traffic is routing from lo0 instead of from igb0?

    How can I fix this?

    Thanks
    Gary

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Aug 1, 2016, 5:04 PM

      https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by Aug 1, 2016, 5:06 PM

        Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

        Do you employ any NAT loopback features?

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • G
          garyd9
          last edited by Aug 1, 2016, 5:18 PM

          @KOM:

          https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

          That answers the question.  Thank you.

          @Nullity:

          Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

          I think so. ;)  However, I never really did anything special to configure it, so I'm guessing either they applied the NAT at a different layer or they automatically did something similar to the "pure NAT" stuff described by the link above.

          M 1 Reply Last reply Feb 6, 2024, 6:23 AM Reply Quote 0
          • M
            mrfibreoptic @garyd9
            last edited by Feb 6, 2024, 6:23 AM

            @garyd9 Hi, did you figure this out? ive got the same issue, worked via my old router, can't figure out on my new PFSense router.

            Z 1 Reply Last reply Jan 13, 2025, 9:18 AM Reply Quote 0
            • Z
              ZipleR @mrfibreoptic
              last edited by Jan 13, 2025, 9:18 AM

              @mrfibreoptic I am sorry for replying to a quite old thread, not even sure how I got here. But I am a "historian" and can demystify ancient fables. (if you read cursive, the national archives has a job for you). I'd like to provide at least 1 solution that will solve this for people, so the thread is not a dead end.

              This is a common situation that companies run into. They create a local domain called "AnyRandomCompany.com" and join all of their local computers to that domain and then later purchase the public domain which has the same name for their customers/public to access their web site.

              Alot of times, the routing will work where they can access the External IP address that the public DNS records are pointing to, but in many other cases (depending on the router/firewall) they cannot.

              If you find yourself in this situation, the best solution is to run your own Internal DNS server or forwarder.

              A dedicated DNS server (such as PiHole) can have Static DNS entries created that will resolve BEFORE asking the public DNS servers. You can create the Internal DNS A record using the Internal (rather than the External/NAT) IP address.

              Many Routers (some people call them Access Points/Modems) also have this capability. Some will call it DNS Forwarder others DNS Records. Some may even call them "Forward lookup zones". The key is to create a local DNS record that your internal hosts can resolve locally while the public DNS records are stored on public DNS servers.

              If you only have a single computer or two on your network that need to use the private IP address (not the public one) then you can also modify your hosts file and add an entry for "123.123.123.123 AnyRandomCompany.com"

              Hope this helps a few people in the future.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received