Cannot access services through WAN IP from internal network



  • I have been unable to access any of my internal resources through my WAN IP for some time now. This significantly impacts my testing work; but I haven't been able to resolve it so I put it on the back burner. I had a more pressing issue this week and reached out to this forum. To my delight the fast responses and expertise I was met with has encouraged me to reach out about the this issue as well. I followed the directions here: https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks for Method 1: NAT Reflection to no avail. I do not want to use split DNS because that method would invalidate my testing. Any help is greatly appreciated. At present I am having to use a cell hot spot and a separate dedicated machine connected to it for my testing. This is a clunky and expensive, hopefully very temporary, solution that I very much would like to rid myself of!



  • | I have been unable to access any of my internal resources through my WAN IP |

    What do you need to access to?
    I think you just need to do some port Port Forward. (Firewall / NAT / Port Forward)


  • LAYER 8 Netgate

    If you need NAT Reflection, it works.

    You'll have to provide more information. Like the rules on the interface you are testing from, the port forwards you are testing, the NAT Reflection settings, and what you get when it doesn't work.



  • The reason accessing WAN resources (port forwards I'm assuming) from LAN isnt working is because traffic coming in through the LAN interface doesn't match the NAT rules set on the WAN. For that you'll need NAT Reflection (which it looks like you already know). Your NAT reflection setup is probably incorrect. If you can post some screens of your setup on the NAT table we can better assist you, but to sum it up: You want to take the WAN port forwards you currently have and copy them but change the interface to LAN (or whatever interface needs the reflection for multi-interface setups.)


  • LAYER 8 Global Moderator

    "I do not want to use split DNS because that method would invalidate my testing"

    How is that exactly?

    If you explain what your wanting to accomplish then we can go over the different ways to accomplish your goals.



  • @Derelict:

    If you need NAT Reflection, it works.

    You'll have to provide more information. Like the rules on the interface you are testing from, the port forwards you are testing, the NAT Reflection settings, and what you get when it doesn't work.

    For testing currently I am just trying to hit a game server from the WAN IP. Here is a screenshot showing the rules on the NAT page. The servers are accessible from outside.

    ![nat config.PNG](/public/imported_attachments/1/nat config.PNG)
    ![nat config.PNG_thumb](/public/imported_attachments/1/nat config.PNG_thumb)



  • @johnpoz:

    "I do not want to use split DNS because that method would invalidate my testing"

    How is that exactly?

    If you explain what your wanting to accomplish then we can go over the different ways to accomplish your goals.

    Thanks for your reply.

    I would like to be able to test as close of a situation as possible to an outside client hitting my service so I can verify all pieces in between are functioning as expected. Split DNS only tests the end service; but not the networking from the outside, through the perimeter, through the network, to the service.



  • @b4d65387:

    @Derelict:

    If you need NAT Reflection, it works.

    You'll have to provide more information. Like the rules on the interface you are testing from, the port forwards you are testing, the NAT Reflection settings, and what you get when it doesn't work.

    For testing currently I am just trying to hit a game server from the WAN IP. Here is a screenshot showing the rules on the NAT page. The servers are accessible from outside.

    post your firewall rules on your WAN interface. youre probably missing a rule there.

    If the rule exists, then youve got a firewall on the serever side causing issues as your NAT rules look good to go.



  • @isolatedvirus:

    @b4d65387:

    @Derelict:

    If you need NAT Reflection, it works.

    You'll have to provide more information. Like the rules on the interface you are testing from, the port forwards you are testing, the NAT Reflection settings, and what you get when it doesn't work.

    For testing currently I am just trying to hit a game server from the WAN IP. Here is a screenshot showing the rules on the NAT page. The servers are accessible from outside.

    Thanks for your reply. Here are the firewall rules on the WAN interface. The redacted sections are blocks of alias lists I maintain.

    post your firewall rules on your WAN interface. youre probably missing a rule there.

    If the rule exists, then youve got a firewall on the serever side causing issues as your NAT rules look good to go.

    ![firewall rules.PNG](/public/imported_attachments/1/firewall rules.PNG)
    ![firewall rules.PNG_thumb](/public/imported_attachments/1/firewall rules.PNG_thumb)


  • LAYER 8 Netgate

    Split DNS only tests the end service; but not the networking from the outside, through the perimeter, through the network, to the service.

    NAT reflection doesn't test those either. If you want to test from the outside, then do that.

    You have still not provided details about what you are trying to do. Specific addresses, specific ports, NAT reflection settings, etc. Crystal ball is foggy.



  • @Derelict:

    Split DNS only tests the end service; but not the networking from the outside, through the perimeter, through the network, to the service.

    NAT reflection doesn't test those either. If you want to test from the outside, then do that.

    You have still not provided details about what you are trying to do. Specific addresses, specific ports, NAT reflection settings, etc. Crystal ball is foggy.

    Oh, sorry about that. I have 2 goals. One is a work goal that I cannot discuss in detail. The other is to be able to join locally hosted game servers. I imagine split DNS would solve the games server issue. These are mostly valve game servers; so ports in the 27000+ range. I can join them by manually entering in the local IP from the console in the game. So, this one isn't a big problem. When you say "
    NAT reflection doesn't test those either. If you want to test from the outside, then do that." Do you mean using NAT reflection somehow doesn't allow traffic destined for my public IP to be routed externally and then back in through the WAN IP? My understanding is that Split DNS will just resolve to a different (internal) IP when the source comes from an internal IP. My hope was that NAT reflection would allow m to keep my destination set to my WAN IP and still allow the traffic to reach its destination; even when coming from an IP behind the WAN IP. I have been able to do this with other routers in the past. I just can't seem to get it to work with my pfsense router; and pfsense has way too many benefits to go back to anything else.


  • LAYER 8 Netgate

    NAT reflection is not testing connectivity from the outside, as you stated you want to test. If you want to test that you need to test from the outside.

    NAT reflection tests NAT reflection. It allows the convenience of inside hosts being able to connect to the outside IP address from the inside, but it does nothing to actually test connectivity from the outside.

    And it works. If it is not working you have it configured incorrectly.



  • since 2.3.2 my forwarding stopped working too.. i didn't change any config…i played with nat reflection etc... tried it all ports still closed



  • @Derelict:

    NAT reflection is not testing connectivity from the outside, as you stated you want to test. If you want to test that you need to test from the outside.

    NAT reflection tests NAT reflection. It allows the convenience of inside hosts being able to connect to the outside IP address from the inside, but it does nothing to actually test connectivity from the outside.

    And it works. If it is not working you have it configured incorrectly.

    I believe I understand what you are saying; but I think there is some confusion around this situation. I only want to test that connections coming from inside destined for my WAN IP are able to make it to their destination without using split DNS which would resolve the WAN IP to an internal private IP because the source is coming from internal address. Does that make sense or is NAT reflection doing the same type of conversion? Also, I agree it must be misconfigured since it is failing; but I followed the guide exactly without success. This is why I am confused.


Log in to reply