Accessing self hosted sites from the same internal network



  • I hope that description is clear!  I've poured over this question, off and on, for several weeks and I'm rather stumped.  Please pardon my basic level of understanding.

    Scenario: my pfSense setup has a static, external IP (let's say 4.3.2.1 for example) on the WAN interface and my domain, testing.123, points to 4.3.2.1.  I'm hosting a website on my network behind pfSense, on machine (again, fictitious, local IP) 192.168.1.10, and I have a NAT rule in pfSense to forward all incoming http requests to port 80 on 192.168.1.10.  This setup works great - from anywhere else in the world.  Going to testing.123 in your browser takes you right to the website.

    Trying to access testing.123 website from a computer on the same network, let's say my laptop at 192.168.1.20, doesn't work.  (I've reset my pfSense web interface to a non-standard port, so it wouldn't be looking for the web interface instead of the website.)  That's probably obvious to all of you DNS experts reading this (who I hope are reading this!).  If I go to 192.168.1.10 in a browser at home, the site will load but it's pretty slow.  It runs quite speedily when accessed from an external IP.

    Now, let's say I wanted to host something like ownCloud (or Nextcloud) at home, and be able to access it both at home and away from my home network.  I have that on 192.168.1.30 with a NAT rule forwarding https to 192.168.1.30 and it works fine when I'm not at home, but when on the home network the domain can't be resolved.  I'd have to change testing.123 to 192.168.1.30 in the client every time I change locations.

    Is this a situation where I need some redirect rules on the LAN side of the firewall or is this a DNS issue?

    With my basic cable modem as the only firewall between these servers and the internet at large, I just pointed the domain name records at my static IP and everything worked fine, at home or away.  With a basic pfSense setup in the middle, I'm no longer able to get to these sites.  I know if my basic home modem/router combo can do it, pfSense can do it.  But what am I missing?

    A few more details, as I know that's not much to go on.  I've got one WAN interface, configured with the static IP, and one LAN interface which assigns DCHP addresses.  The webserver has a static IP.  NAT incoming connections to port 80 redirected to 192.168.1.10 and the only plugin I've installed is pfBlocker.  The rest is just the out of the box configuration of pfSense 2.3.2.

    Any tips/pointers in the right direction are appreciated!


  • LAYER 8 Global Moderator

    setup a host override for your testing.123 to point to your 192.168.1.30 or whatever address it is in the dns forwarder or the resolver which ever one your using.

    Or setup nat reflection, but that is a less efficient way of doing it.. Why bounce outside just to get reflected back in when your on same network as your server.. Just let pfsense resolve it to your local ip for you.



  • That's been helpful setting me on the right track.  However, I'm not there yet.

    From at home, I can set up https://nextcloud.testing.123 and connect locally - quite speedily since it doesn't leave the internal network.  But, I don't have a wildcard DNS so that doesn't work externally.  I did a port redirect to route all HTTPS to that particular internal IP address and with that (and forcing that server to only serve https, just in case) I can get to https://testing.123/nextcloud from the outside world.

    But, that's two different urls for the sync clients = same problem as before.

    I know I'm still not understanding the host/domain redirects.  But…yeah, I'm not understanding those.  (Using DNS Forwarder, BTW.)

    If I get to the pfSense webconfigurator at https://testing.123:[custom port], then wouldn't a domain redirect for testing.123 to the nextcloud server's IP no longer allow me to get to the pfSense webconfigurator?

    Arguably I shouldn't have that enabled from outside the firewall in the first place, but I had to set up and test an OpenVPN connection externally.  Maybe that's it…more testing ahead!  But thanks for your advice; it's put me on the right track to actually understanding this stuff.


  • LAYER 8 Global Moderator

    so you own testing.123 then create a A record for nextcould.testing.123  Or create whatever records you want something.testing.123 etc..  And if you want that to go multiple IPs behind pfsense then use a reverse proxy, etc.



  • Well, now I do.  Turns out it's a lot easier with a "real" hostname rather than trying to use one of the free dynamic DNS names.  (That's probably obvious.)

    Anyway, I've finally got it!  Thank you for your help; I probably would still be floundering around with this without it!


Log in to reply