nat reflection when traffic is from lan to dmz

miguelmirandag

Hi, i have migrated from a fortigate utm to pfsense, i am very impressed with overall easy configuration.
Howerver i am facing a problem that i did not had before with fortigate fw, my topology is very simple:

internet -> core router -> pfsense

pfsense has 3 interfaces: wan, lan and dmz (renamed from opt1), in dmz i have a plesk panel running a mail/web server i also have an iptv middleware server, both using rfc1819 networks being nated by pfsense in wan using public ip addrreses for outside access. For several factors that i can not change right now i have a mobile appication that uses iptv's server public ip to connect to the middleware system,
Nat is working fine from the outside (public internet), i have enable globally the nat reflection for port forward settings, if i connecto to the iptv server from dmz network all is working fine, so the nat reflection is working into same dmz network, this is not happening if i connect to iptv (via its natted public ip) server from lan network, there is a timeout and if i run a tracert command the packet goes to public internet via wan connection instead of redirect me to the internal iptv server in dmz network. split horizon won't help me here because the application is configured internally to use public ip address , not by fqdn.
How can i make this configuration? Am i missing somethng, maybe a redirect rule, if so where do i have to configure it, in outbound nat or in lan interface?

viragomann

Have you a firewall rule on LAN in place to allow that access?

@miguelmirandag said in nat reflection when traffic is from lan to dmz:

if i run a tracert command the packet goes to public internet via wan connection instead of redirect me to the internal iptv server in dmz network.

Consider that the tracert packets are not covered by the NAT rule for the iptv.

miguelmirandag

Yes i have a rule thet permits traffic from lan to dmz and all is working fine when using the internal ip in every interfac, the problem is that if i try access from lan to server in dmz using the server's public ip address configured in the outbound rule it does not work. in example

lan network: 192.168.10.0/20
dmz network: 192.168.20.0/24
wan public ip for nat using port forward: 45.177.55.2

if i try to access from lan to port 80 of plesk server using internal address all works fine. If i try to access from lan to port 80 of plesk server using its nated address i got timeout, so:

192.168.10.5 -> 192.168.20.10:80 -> ok
192.168.10.5 -> 45.177.55.2:80 -> timeout

nat rule is port forware in wan when destination is 45.177.55.2 traslate it to 192.168.20.10, connection from outside work fine. i try to connect to dmz server using public ip address from another host in dmz network, connection is correctly forwarded to internal ip, so nat reflaction is working fine but only from same dmz network

viragomann

Maybe your pfSense is listening on the LAN interface port 80 with a rule containing "This firewall" as destination? Check all NAT and firewall rules.