Port forwarding nto working in LAN source

jmaurin · Dec 24, 2020, 7:54 PM

Hi!
I used to have an OpenWRT as my main router here (in my house) and I had this scenario working fine, but I can't make it work in PfSense.

I have a valid domain called domain.com, hosted in a server not in my network. I also have a subdomain called abc.domain.com, which points to my house (dyamic DNS, using CloudFlare). I have my PfSense configured to updated CloudFlare using abc.domain.com and it's working perfectly.
Now, I have some port forwarding for some devices that I have in my house (Cameras, NVR's, raspberry pi's, etc...). Port forwarding itself is workinf fine from outside, I can access everything as expected. The problem is when I try to access from LAN, using external domain. It simple doesn't work and I don't know why or how to debug this.

I used to use 'abc.mydomain.com' even from inside....then, my OpenWRT redirect to correct internal LAN based on destination port. Now this is not working.
I tought about split DNS, but the problem is that I use the same sub-domain for everything in my house, do I could not redirect one domain to one specific internal IP address.
I would like to access (from LAN and Outside):

abc.domain.com:123 => 192.168.2.1
abc.domain.com:456 => 192.168.2.2
abc.domain.com:789 => 192.168.2.3

I've created port forwarding using 'WAN' as destination address and specifics ports. It's working from outside. What am I missing?

MikeV7896 · Dec 25, 2020, 7:28 PM

@jmaurin Try enabling NAT Reflection for those port forwards. Not sure of the difference between the two "Enabled" options, but I did use NAT + Proxy for a while for a Plex server at home to get it to work with Sonos on the same network... before Plex added an additional setting that allowed me to get rid of the reflection.

More info: https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

jmaurin · Dec 25, 2020, 7:28 PM

@virgiliomi Didn't worked. But I may know why. I'm using 2 NAT's (unfortunatelly).
My ISP doesn't allow me to bridge my modem, so I have to use an internal IP. What I've did is to point my modem DMZ to my pfsense WAN IP, which is an invalid. That's why I think that NAT Reflection is not working. I'm out of ideas now :/

viragomann · Dec 25, 2020, 8:32 PM

@jmaurin said in Port forwarding nto working in LAN source:

But I may know why. I'm using 2 NAT's (unfortunatelly).

I can not think of anything, what your former OpenWRT could have done here to make it work without knowing your real public IP.
If abc.domain.com resolves to the ISP routers external IP, NAT reflection must be done at the external router.

If that is not possible and you cannot use split DNS your only option will be to clone your NAT rules to your internal interface(s).
To make it work if both, server and client, are connected to the same interface of pfSense you will additionally need an outbound NAT rule for this server.