Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing a local web server from local network with NAT reflection + port forwarding

    Scheduled Pinned Locked Moved NAT
    17 Posts 3 Posters 971 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wyang
      last edited by

      Hello,

      The local web server FQDN is resolved as the WAN address.

      Port 80 and 443 on the WAN are forwarded to the local web server, NAT reflection: use system default.

      System > Advanced > Admin access
      Protocol: HTTPS (SSL/TLS), TCP port: 9443, 'Disable webConfigurator redirect rule' checked

      System > Advanced > NAT
      Pure NAT + Enable automatic outbound NAT for Reflection

      However, accessing the local web server from local network fails.

      Any inputs and advices would be much appreciated.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        Ditch nat reflection & Use a host override in your dns settings

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          ^Exactly just setup a host override for your fqdn that points to your local IP..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • W
            wyang
            last edited by wyang

            Thank you very much @heper and @johnpoz for your quick response!

            Please correct me.

            To my understanding, for accessing a local server from local network, it can use either NAT reflection or DNS forwarder/resolver with override.

            If use NAT reflection, do I still need to use host override?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              If your going to use nat reflection, then no you don't need host override.. But nat reflection is not the way.. To be honest nat reflection is an abomination to all things holy about networking ;)

              host overrides "this is the way"
              https://www.youtube.com/watch?v=uelA7KRLINA

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 1
              • W
                wyang
                last edited by

                Thanks @johnpoz !

                Before switch to split DNS method, I'd like to understand a bit more on how requests from a local client to a local server are handled by pfSense. Would you mind to brief that?

                Also, are there any ways to track how the requests are handled with the tools on pfSense?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Pfsense wouldn't be doing anything other than handing it answer to the dns query, unless the server is on a different vlan than the client.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • W
                    wyang
                    last edited by

                    Sorry, I mean for NAT reflection, I'd like to understand a bit more on how requests from a local client to a local server are handled by pfSense. Would you mind to brief that?

                    Also, are there any ways to track how the requests are handled with the tools on pfSense?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Nat reflection would have to use proxy method and connection would look like it came from pfsense vs the client.. It really is an abomination.. And should only be used when you have no other choice.. Like some idiot hard coded an IP in some app..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • W
                        wyang
                        last edited by

                        Thanks @johnpoz !

                        On my local server, it has nginx ingress to handle requests to different services identified by FQDNs, e.g., abc.example.com, def.example.com.

                        So, if use split DNS solution, instead of use host override that does not support hostname wildcard, it'd be sustainable to use domain override.

                        I tested to configure domain override as
                        Domain: example.com
                        IP Address: <the local server IP>
                        Source IP: ; leave blank

                        However, it does not work.

                        I'd much appreciate if you could correct me. Thanks.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Its not domain override its HOST override..

                          Put in the fqdn you want to resolve to that IP.. if you have 1 or 100 of them..

                          domain override is when there is a specific Name Server (NS) that will resolve that domain.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • W
                            wyang
                            last edited by

                            That does not sustainable :)

                            Thanks a lot @johnpoz !

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              What is not sustainable? Setting local dns to resolve local IPs? You could have 10,000 fqdn resolve locally.. Or 100k even.. Not sure what your saying is not sustainable?

                              Even if pfsense was providing the public dns via bind (never use unbound for that since its not meant to be an authoritative ns).. You could setup views so internally they would resolve to internal and externally they would resolve to the public, etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 1
                              • H
                                heper
                                last edited by

                                A>is it possible to drive a toyota corolla through the jungle?
                                B>it's better to use a 4x4 to go through the jungle.
                                A>Yes, but is it not also possible using a corolla, then i wouldn't need a 4x4?
                                B>using a corolla in a jungle is an abomination to all things holy about driving in the jungle. 4x4 is the way

                                .....
                                A> using a 4x4 is not sustainable

                                alt text

                                1 Reply Last reply Reply Quote 1
                                • W
                                  wyang
                                  last edited by

                                  Thanks very much @johnpoz and @heper for your prompt responses.

                                  In the env of a Kubernetes cluster behind pfSense, there are a lot of requests from local network to local K8s FQDNs. Therefore, it'd be much more flexible if host override supports wildcard for the host field, since all these FQDNs resolve to a same local virtual IP.

                                  I was wondering if the feature of wildcard host name would be possibly supported for host override in the near future release ?

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    @wyang said in Accessing a local web server from local network with NAT reflection + port forwarding:

                                    supports wildcard for the host field

                                    You can do that now.. Just not in the gui..

                                    https://docs.netgate.com/pfsense/en/latest/dns/wildcard-records-in-dns-forwarder-resolver.html

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      wyang
                                      last edited by

                                      It works. Thanks very much @johnpoz !

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.