Accessing my own backup service



  • Hi,

    I'm trying to access my own backup service from LAN with the IP:port of the WAN side. The port seems to be closed from inside my LAN, but not from outside. I'm doing this because I want to configure the backup client with external IP and port, so the backup works when I'm using my laptop outside my LAN.

    Do I have to add any rule in pfSense to get this working?

    Setup
    (numbers are changed)

    • External IP: 98.128.171.45
    • Port exposed by router on WAN side: 12345. Including NAT rule.
    • The backup service running on LAN with IP 192.168.5.123:12345
    • The backup client on laptop is configured to use 98.128.171.45:12345 (External IP) when connecting to the backup service.

    What is happening?

    • The port 12345 is accessible from internet. Tested from ShieldsUP
    • The backup client fails to connect to the backup service when the laptop is on LAN.
    • The backup client can connect and backup when the laptop is using VPN.
    • I can see the traffic (in pfSense webUI) from my laptop on LAN being passed to the external IP 98.128.171.45:12345 by this rule: 38b6eb81-b1a6-4eb9-9f49-85ff45991043-image.png
    • For some reason the ports 22, 80, 443 (maybe more) are reported as open from pfSense Command Prompt, but on ShieldsUP they are stelth:
    $ nc -z -v -w4 98.128.171.45 12345
    connect to 98.128.171.45 port 12345 (tcp) failed: Operation timed out
    
    $ nc -z -v -w4 98.128.171.45 80
    Connection to 98.128.171.45 80 port [tcp/http] succeeded!
    
    • A similar setup is working on another site, but with an Unifi-router and another ISP. Only with port forwarding rules on the router.

    Thank you! Tomas


  • Netgate Administrator

    The correct way to do this is using a hostname and split DNS so it resolves to the internal IP when you're on LAN but you can also just enable NAT reflection.

    https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

    Steve



  • Thank you!

    Solved it by enabling NAT reflection on the port forward rule. 😬

    /Tomas


Log in to reply