[resolved]accessing internal site from external IP



  • I'm experiencing unexpected behavior with pfSense when trying to access something from inside the NAT using an external IP that points back to the NAT..  (That's confusing, isn't it?)  I'm not sure if this is a firewall issue or a routing issue.  (Either way, I'm sure the issue is because of something I don't understand or don't have configured properly.)

    My  LAN uses 192.168.1.0 for a network address.  Inside my LAN, I have an HTTPS server on 192.168.1.100.  I then configured a port forward so port 443 on the WAN interface forwards to the internal 192.168.1.100 port 443.  This actually created two rules:

    Under firewall->NAT, I see "WAN,  TCP,  *,  *,  WAN Address,  443,  192.168.1.100, 443

    Under firewall->rules->WAN, I see "(checkmark), xxx, IPv4, TCP, *, *, 192.168.1.100, 443,  *, none, , NAT

    For the purpose of this explanation, assume my global IP number is 73.73.73.73.

    When I'm external to my LAN, and attempt to go to my global IPv4 address in a web browser (https://73.73.73.73), everything works as expected.  The port forward sends the session to the server on 192.168.1.100.

    HOWEVER, when I'm on a machine internal to the LAN (behind pfsense), and I go to "https://73.73.73.73", I instead end up on the pfSense management web UI.

    My expectation is that, being I'm using an EXTERNAL IP address, that the request would get out to the interface on the pfsense box that has an IPv4 of 73.73.73.73 and then come back in under the WAN interface (and therefore be subject to the port forwarding.)

    Here's my (edited) routing table as shown in pfSense…  igb0 is my WAN interface, igb1 is the interface of the network that 192.168.1.100 is on, and lagg0_vlan5 is the interface of the network I'm experiencing the issue on:

    (Obviously, all these numbers are edited from their originals... so the mask on the WAN interface won't match.  Also, please pardon the mix of vlans and non-vlans.  I'm still in the process of setting all that up.)

    
    default	73.73.73.1	UGS	150213	1500	igb0	
    73.73.73.0/23	link#1	U	109032	1500	igb0	
    73.73.73.73	link#1	UHS	0	16384	lo0	
    127.0.0.1	link#8	UH	9853	16384	lo0	
    192.168.1.0/24	link#2	U	9950785	1500	igb1	
    192.168.1.1	link#2	UHS	0	16384	lo0	
    192.168.5.0/24	link#11	U	9684502	1500	lagg0_vlan5	
    192.168.5.1	link#11	UHS	0	16384	lo0	
    
    

    So…  looking at this routing table, a request from 192.168.5.2 (vlan5) to 73.73.73.73 should into the line for 73.73.73.73 on the lo0 interface.  Is the problem that the traffic is routing from lo0 instead of from igb0?

    How can I fix this?

    Thanks
    Gary





  • Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

    Do you employ any NAT loopback features?



  • @KOM:

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    That answers the question.  Thank you.

    @Nullity:

    Have your previous router's worked as you expected, in this situation? If so, sharing the related configuration specifics would help us translate that setup to pfSense.

    I think so. ;)  However, I never really did anything special to configure it, so I'm guessing either they applied the NAT at a different layer or they automatically did something similar to the "pure NAT" stuff described by the link above.


Log in to reply