1:1 NAT is not working Internal from LAN
-
Hello
I have an Issue with my 1:1 NAT … but don't find any hint at the moment why it is not working. I've searched on the Forum or Google - but no hint or i don't saw it.
I've an ISP Uplink with 16 IPs - x.x.102.125 Gateway, x.x.102.126 pfSense and in this issue, x.x.102.128 for the Webserver.I've the following Zone inside of the pfSense - WAN, LAN and DMZ.
The 1:1 is going on the external IP (102.126) to the DMZ Zone IP of the Webserver 192.168.152.9
Also a Firewall Rule from TCP/any to TCP/443 and TCP/80 to 192.168.152.9From External (like Mobile Phone) i can reach the Webserver correctly. Everything fine.
As soon as I'm on the LAN Interface of the pfSense (like being local or over VPN) I can't reach the Webserver anymore over the DNS Name.I've activated "Pure NAT", "Enable NAT Reflection for 1:1 NAT" and "Enable automatic outbound NAT for Reflection".
The Browser itself is loading, and loading and loading, and after some time it is showing "ERR_CONNECTION_TIMED_OUT"Maybe someone has some Tipps.
Thank you!
-
Usually one of the NET reflection modes works. Is split DNS not an option for you? DO you have any rules on your LAN that might interfere with DMZ communication?
-
Sorry for my delay.
Split DNS is not an option for us.
We're blocking traffic from LAN to DMZ and/or DMZ to LAN - but also when I'm allow a "Master" Rule which allows it, it won't work.
What do you mean with Net Reflection Modes works?
-
System - Advanced - Firewall & NAT - Network Address Translation - NAT Reflection mode for port forwards
-
For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS.
I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router.
I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work.
This is my version information:
2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26
2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7 And it's still not working.Thanks a million.
