[resolved]accessing internal site from external IP
-
I'm experiencing unexpected behavior with pfSense when trying to access something from inside the NAT using an external IP that points back to the NAT.. (That's confusing, isn't it?) I'm not sure if this is a firewall issue or a routing issue. (Either way, I'm sure the issue is because of something I don't understand or don't have configured properly.)
My LAN uses 192.168.1.0 for a network address. Inside my LAN, I have an HTTPS server on 192.168.1.100. I then configured a port forward so port 443 on the WAN interface forwards to the internal 192.168.1.100 port 443. This actually created two rules:
Under firewall->NAT, I see "WAN, TCP, *, *, WAN Address, 443, 192.168.1.100, 443
Under firewall->rules->WAN, I see "(checkmark), xxx, IPv4, TCP, *, *, 192.168.1.100, 443, *, none, , NAT
For the purpose of this explanation, assume my global IP number is 73.73.73.73.
When I'm external to my LAN, and attempt to go to my global IPv4 address in a web browser (https://73.73.73.73), everything works as expected. The port forward sends the session to the server on 192.168.1.100.
HOWEVER, when I'm on a machine internal to the LAN (behind pfsense), and I go to "https://73.73.73.73", I instead end up on the pfSense management web UI.
My expectation is that, being I'm using an EXTERNAL IP address, that the request would get out to the interface on the pfsense box that has an IPv4 of 73.73.73.73 and then come back in under the WAN interface (and therefore be subject to the port forwarding.)
Here's my (edited) routing table as shown in pfSense… igb0 is my WAN interface, igb1 is the interface of the network that 192.168.1.100 is on, and lagg0_vlan5 is the interface of the network I'm experiencing the issue on:
(Obviously, all these numbers are edited from their originals... so the mask on the WAN interface won't match. Also, please pardon the mix of vlans and non-vlans. I'm still in the process of setting all that up.)
default 73.73.73.1 UGS 150213 1500 igb0 73.73.73.0/23 link#1 U 109032 1500 igb0 73.73.73.73 link#1 UHS 0 16384 lo0 127.0.0.1 link#8 UH 9853 16384 lo0 192.168.1.0/24 link#2 U 9950785 1500 igb1 192.168.1.1 link#2 UHS 0 16384 lo0 192.168.5.0/24 link#11 U 9684502 1500 lagg0_vlan5 192.168.5.1 link#11 UHS 0 16384 lo0So… looking at this routing table, a request from 192.168.5.2 (vlan5) to 73.73.73.73 should into the line for 73.73.73.73 on the lo0 interface. Is the problem that the traffic is routing from lo0 instead of from igb0?
How can I fix this?
Thanks
Gary
-
-
Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.
Do you employ any NAT loopback features?
-
@KOM:
That answers the question. Thank you.
Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.
I think so. ;) However, I never really did anything special to configure it, so I'm guessing either they applied the NAT at a different layer or they automatically did something similar to the "pure NAT" stuff described by the link above.
