Connection to a WAN address on a LAN



  • Hello,
    I have such a problem, I changed my company's old router to pfsense.
    I have a problem connecting to a server inside a network, namely:

    10.0.0.10 - Server - internal address
    83.82.81.80 - external IP address

    If you are from a computer that is on a local network, connect to the LAN (10.0.0.10) to the server - everything works.
    From a computer that is outside the home network (eg at my home) I connect to the WAN address (83.82.81.80) - everything works (RDP port redirected)
    But
    If a computer that is on a local network connects to a WAN address, it does not establish a connection.

    I am at home, I connect to RDP through the server using address 83.82.81.80. I plug in and everything works, I pack my laptop in the bag, go back to the company, connect to my corporate LAN and I am unable to make a public address call (83.82.81.80) and only at the local server address (10.0.0.10).

    I would like to use an external address to connect to the server, how to do that?

    I have redirected MS RDP ports in Firewall / NAT / PortForward
    Firewall ->NAT -> Outbound -> wybrać "Automatic outbound NAT rule generation
    System ->Advanced -> Firewall & NAT ->

    • Enable NAT Reflection for 1:1 NAT
    • Enable automatic outbound NAT for Reflection


  • @PawelQ:

    I have redirected MS RDP ports in Firewall / NAT / PortForward

    That's a bad idea, anyway.
    It would be recommended to set up a vpn for that. Then you can use the internal IP to connect.

    @PawelQ:

    I would like to use an external address to connect to the server, how to do that?

    If you want to do that though, enable NAT reflection.
    This can be done per NAT rule in the port forwarding rule, option "NAT reflection" at the bottom or globally in System > Advanced > Firewall & NAT, option "NAT Reflection mode for port forwards". Pure NAT should work in most cases.


  • LAYER 8 Global Moderator

    I am with viragomann on both his points..

    Opening up RDP from the public internet is BAD idea!!

    With anything thing you want to forward be it bad or good idea if you want to hit the public IP and get forwarded back in - this is nat reflection and  would have to be setup.  You do not mentioned what you replaced with pfsense.  But most likely it auto allowed such a setup.. While pfsense does not do this out of the box and you would have to setup nat reflection.

    That being said.. Nat reflection normally not good idea.  And normally a sign of lazy configuration..  Simple use of fqdn to access your resource would solve any need for nat reflection.  Since outside the fqdn you use could point t your wan (public IP) and while at the location this FQDN should and could point to the rfc1918 address.



  • Hello.
    Thank you for the response. RDP is more as an example. My anti-virus connects to the database server using a public address, so access should be from both the external and the internal network. If I am at home, I usually connect, get signatures, give reports, but if I'm already in the company, I can not connect to the server that is .. in the company. The old router is: NETGEAR ProSafe VPN Firewall FVS336GV2.

    viragomann Your advice unfortunately did not work.

    Of course I plan to implement VPN, but first I want to restore the original functionality.



  • I don't know which type of NAT reflection you've set now, you may also try "NAT + proxy", but this is what many routers do by default. So if it had worked before it should also work with pfSense.


  • LAYER 8 Global Moderator

    "My anti-virus connects to the database server using a public address"

    So its hardcoded IP or it uses a FQDN to access.  Hard coding IPs BAD… FQDN good!

    If you use FQDN its a simple host dns configuration to have that fqdn resolve to the rfc1918 address of your database server while inside.. And while outside you hit the public IP.


Log in to reply