Allowing access to WAN ports from LAN side



  • Hi,

    I don't know if this is a Firewall, a NAT or a completely different topic, and I wouldn't know how it's generally named, so please let me describe it.

    My pfSense box has it's WAN port connected directly to the Internet. It receives a public IP address for it from my ISP using DHCP. Even thought it is DHCP, I always receive the same IP address, so no problem there. This IP address is globally DNS registered, so mydomain.eu resolves to this IP address.

    The LAN port is connected to my local network, which uses a class B IP range, 172.xxx.yyy.yyy. I'm running a local DNS resolver with a local domain: mydomain.local.

    I have a couple of IP security cameras in my house, configured with a statically mapped DHCP entries and corresponding DNS entries. I'm sorry; I may be using the wrong terminology here. For example, my front camera is accessible on http://speeddome-front.mydomain.local (and sometimes also under http://speeddome-front but that's a future question) on the LAN.

    Now I have created a NAT entry and a corresponding rule to allow access to this camera from the Internet at http://mydomain.eu:8088 and this works almost flawlessly. For the flaws I blame my ISP, so no problems here.

    However, my camera is not accessible on my LAN under http://mydomain.eu:8088. On my LAN it is only accessible under http://speeddome-front.mydomain.local. Does anybody know why? And what setting I need to make this possible? The problem I'm trying to solve is universal access to my cameras on my phone, regardless whether I'm in- or outside the house.

    Thanks a lot in advance.


  • Banned



  • Because mydomain.eu is a WAN address.  When you are doing INTRAnet traffic, there is no need to go through the "WAN".  So you want to skip WAN altogether, how?  simple.  Tell your DNS Resolver, add an static entry that says mydomain.eu=CamaraStaticIP.



  • Thank you, guys. Grimson's answer was what I was looking for. Apparently it's called NAT reflection, and it is not the ideal solution. The better alternative is Split DNS, but that won't work if the WAN port differs from the port on the LAN server. In my case, I have a number of security camera servers with web pages on port 80, mapped on WAN ports 8080 and up.

    So I have enables NAT reflection as described in the linke manual and it works like a charm. Today I learned something new. Thanks again!


Log in to reply