Accessing a local web server from local network with NAT reflection + port forwarding

wyang

Hello,

The local web server FQDN is resolved as the WAN address.

Port 80 and 443 on the WAN are forwarded to the local web server, NAT reflection: use system default.

System > Advanced > Admin access
Protocol: HTTPS (SSL/TLS), TCP port: 9443, 'Disable webConfigurator redirect rule' checked

System > Advanced > NAT
Pure NAT + Enable automatic outbound NAT for Reflection

However, accessing the local web server from local network fails.

Any inputs and advices would be much appreciated.

heper

Ditch nat reflection & Use a host override in your dns settings

johnpoz

^Exactly just setup a host override for your fqdn that points to your local IP..

wyang

Thank you very much @heper and @johnpoz for your quick response!

Please correct me.

To my understanding, for accessing a local server from local network, it can use either NAT reflection or DNS forwarder/resolver with override.

If use NAT reflection, do I still need to use host override?

johnpoz

If your going to use nat reflection, then no you don't need host override.. But nat reflection is not the way.. To be honest nat reflection is an abomination to all things holy about networking ;)

host overrides "this is the way"
https://www.youtube.com/watch?v=uelA7KRLINA

wyang

Thanks @johnpoz !

Before switch to split DNS method, I'd like to understand a bit more on how requests from a local client to a local server are handled by pfSense. Would you mind to brief that?

Also, are there any ways to track how the requests are handled with the tools on pfSense?

johnpoz

Pfsense wouldn't be doing anything other than handing it answer to the dns query, unless the server is on a different vlan than the client.

wyang

Sorry, I mean for NAT reflection, I'd like to understand a bit more on how requests from a local client to a local server are handled by pfSense. Would you mind to brief that?

Also, are there any ways to track how the requests are handled with the tools on pfSense?

johnpoz

Nat reflection would have to use proxy method and connection would look like it came from pfsense vs the client.. It really is an abomination.. And should only be used when you have no other choice.. Like some idiot hard coded an IP in some app..

wyang

Thanks @johnpoz !

On my local server, it has nginx ingress to handle requests to different services identified by FQDNs, e.g., abc.example.com, def.example.com.

So, if use split DNS solution, instead of use host override that does not support hostname wildcard, it'd be sustainable to use domain override.

I tested to configure domain override as
Domain: example.com
IP Address: <the local server IP>
Source IP: ; leave blank

However, it does not work.

I'd much appreciate if you could correct me. Thanks.

johnpoz

Its not domain override its HOST override..

Put in the fqdn you want to resolve to that IP.. if you have 1 or 100 of them..

domain override is when there is a specific Name Server (NS) that will resolve that domain.

wyang

That does not sustainable :)

Thanks a lot @johnpoz !

johnpoz

What is not sustainable? Setting local dns to resolve local IPs? You could have 10,000 fqdn resolve locally.. Or 100k even.. Not sure what your saying is not sustainable?

Even if pfsense was providing the public dns via bind (never use unbound for that since its not meant to be an authoritative ns).. You could setup views so internally they would resolve to internal and externally they would resolve to the public, etc.

heper

A>is it possible to drive a toyota corolla through the jungle?
B>it's better to use a 4x4 to go through the jungle.
A>Yes, but is it not also possible using a corolla, then i wouldn't need a 4x4?
B>using a corolla in a jungle is an abomination to all things holy about driving in the jungle. 4x4 is the way

.....
A> using a 4x4 is not sustainable

alt text

wyang

Thanks very much @johnpoz and @heper for your prompt responses.

In the env of a Kubernetes cluster behind pfSense, there are a lot of requests from local network to local K8s FQDNs. Therefore, it'd be much more flexible if host override supports wildcard for the host field, since all these FQDNs resolve to a same local virtual IP.

I was wondering if the feature of wildcard host name would be possibly supported for host override in the near future release ?

johnpoz

@wyang said in Accessing a local web server from local network with NAT reflection + port forwarding:

supports wildcard for the host field

You can do that now.. Just not in the gui..

https://docs.netgate.com/pfsense/en/latest/dns/wildcard-records-in-dns-forwarder-resolver.html

wyang

It works. Thanks very much @johnpoz !