Split DNS vs NAT Reflection

  • @johnpoz:

    Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

    It's not easier because if I'm configuring multiple small sites that's an additional configuration, and one that's hard coded, for every site. It's not more elegant because defeats the potential for redundancy if I want to have things load balanced off site.

    Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

    There will currently be 10 users, and in the future never more than 20, at the local site using this in my implementation. Everything the site is serving locally is dynamic text and all images, etc come from a CDN. I'm pretty sure my firewall running on an 8-core processor can handle the extra traffic.


    And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..

    As mentioned above. No. It's not 1 click. Also, while we might inherently trust our local network, please explain why we should bypass the firewall entirely for local traffic rather than follow the firewall rules that apply to that IP address. That makes no sense at all as it has the potential to be a security issue, And to be honest shouldn't even be a possible thing to do..

  • LAYER 8 Global Moderator

    what does nat reflection have to do with redundancy?  So your saying your public fqdn points to different IP if site A becomes unavailable?  Your dns changes to point to site B?  If so that might be an actual use case that makes sense to use a public IP.

    But since your users are going local anyway.  What is the likelyhood that their local site is down and you would want them to go to some remote site?  What if there internet is down and can not even resolve the public dns?  In the case where you use split your local users would still have access to the site your hosting local, etc.

    Setup your local dns to direct to another site as well if it goes offline..  Not that hard to do with simple script to check, and change the record.

    As to a firewall rule.. If your on the local segment you can put all the firewall rules you want into pfsense doesn't stop me from talking to the box that is on the same L2 as user..  What rules are you putting in place for wan are not taken into account on a nat reflection anyway.  Now if you put your httpd on segment different than your users local then sure you can firewall segment A from segment B and your still not doing nat reflection.

    Your possible use of a fqdn that resolves public might be a possible valid use case, but without understanding the details prob not.  If users in site A can not get to site A because its down.. You more than likely have problem with site A that prob either of higher priority then site A service not being available to the public internet, or could also prevent them from getting to site B, etc.

    If your failover detects that site A is down because can not get to it from public internet because public internet is down at site A, how do users know to go to this other site or even get there, or resolve this public IP in the first place?  So your saying the local site has the public IP already - if so how does it change to the failover site?