Help with making LAN behave same as WAN
-
We currently run several services that use port mapping (we map an external port to a different internal port).
This is working fine for accessing from outside thru the WAN, but we need to make it work the same way from within the LAN.
How can I make the LAN do the same thing? And what would be best practise?
I read I might be able to use NAT 1:1 but that means the LAN IP has to route outside and back in via WAN, which would cause access issues internally if the WAN goes down. Is there other ways I can achieve the same result?
Just as an example, we may map port 4000 on WAN to 3389 RDP to a LAN device. But then using the same port 4000 inside the network fails. Would be great if it worked the same in or out.
-
LAN traffic meant for other clients on the same LAN never touch the firewall and thus cannot be controlled by anything you configure there.
-
SEE ALSO: NAT Reflection
-
@chpalmer I understand that in normal circumstances, but what about via a domain name?
Example, we run mydomain.com, with it setup in HA Proxy. If you hit mydomain.com then it goes to the router ip. Just that from external it hits the WAN IP but internal thru unbound it hits the pfsense IP.
-
@Derelict said in Help with making LAN behave same as WAN:
NAT Reflection
Have been reading that too, but the docs state its best to use split DNS. So not sure whether best practice to use NAT reflection.
-
Yes, Split DNS is the better way to go in general but you cannot translate a port with Split DNS unless, perhaps, the application uses SRV records.
-
@eangulus said in Help with making LAN behave same as WAN:
@chpalmer I understand that in normal circumstances, but what about via a domain name?
You did not mention that so I did not assume. :)
Split DNS is the better way to go in general but you cannot translate a port with Split DNS unless, perhaps, the application uses SRV records.
Which goes back to my comment eangulus because LAN devices do not communicate with each other through the router.. I guess I should qualify this though due to your updated information, by referring to Derelicts comment above and say - "Unless you use NAT reflection and use the DNS name".
-
OK, so to clarify.
I point the domain to the pfSense WAN IP, then handle its sub-domains etc using HAProxy and have NAT Reflection turned on.
Then I should be able to access the domain via LAN or WAN, even when the WAN goes down (and obviously only can access via LAN not remotely).
Looking at the NAT options under advanced, what would I need here? Pure or Proxy?
-
I handle that by using split DNS.
I tell the HAproxy frontend to listen on a localhost VIP
I port forward the WAN address to that VIP. Outside DNS queries get the WAN address.
Inside hosts get the localhost VIP when they resolve the names.
Works great.
NAT reflection is almost never the best solution.
-
@Derelict Thanks for that method, I never wanted to use NAT Refelection but was thinking it was my only choice.
-
I did it this way because I grew weary of configuring ACME on the various servers.
This way I SSL offload and pfSense handles all the ACME for all of the domains.
Yes, the HAproxy to backend comms are in-the-clear but if someone is sniffing that I'm already owned. Bad.
