• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port Redirection internal vs external

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 3 Posters 951 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tabmow
    last edited by Dec 25, 2020, 5:48 PM

    Hi,

    I have recently setup pfSense and am having trouble getting my internal redirects to work from within the LAN network.

    nextcloud.domain.com resolves to my WAN IP
    I have a port redirect from 80/443 to my reverse proxy inside my lan network at 192.168.1.201
    This works fine when connecting from outside of my network.

    However when I connect to nextcloud.domain.com from within my lan network it just times out. Is this possible with pfSense? It used to work fine on my previous router. I'm not sure if I need some extra config or extra NAT?

    Any help would be much appreciated.
    Thanks,
    Terry

    V 1 Reply Last reply Dec 25, 2020, 7:38 PM Reply Quote 0
    • V
      viragomann @tabmow
      last edited by Dec 25, 2020, 7:38 PM

      @tabmow
      If you're using an internal DNS like the Resolver on pfSense, you can add a DNS override for your domain to resolve it to the internal proxy IP or directly to the webserver if you want to bypass the proxy.

      Otherwise you have to go with NAT reflection. You can activate it in the NAT rule.

      T 1 Reply Last reply Dec 25, 2020, 9:43 PM Reply Quote 0
      • T
        tabmow @viragomann
        last edited by Dec 25, 2020, 9:43 PM

        @viragomann I did try split DNS and I got weird results. Not sure if it is a browser thing or not but I was getting redirected to a pfSense page saying there was a spoofing attack or something similar... It was odd. I'll look at NAT reflection.

        1 Reply Last reply Reply Quote 0
        • R
          Rod-It
          last edited by Rod-It Dec 25, 2020, 11:08 PM Dec 25, 2020, 11:06 PM

          You could simply use the internal IP not your proxy for internal users or enable NAT reflection on your NAT rule for your port 443/80

          Are you using HA proxy as your reverse proxy, if so you need to move Pfsense off 443 for its own connection and move it elsewhere first.

          If you are using AD for DNS or somethign else, point your DNS name to the Nextcloud box directly not the proxy, use the proxy for external connections, if you are using PF as your DNS, as above an override might work

          T 1 Reply Last reply Dec 25, 2020, 11:12 PM Reply Quote 0
          • T
            tabmow @Rod-It
            last edited by tabmow Dec 25, 2020, 11:12 PM Dec 25, 2020, 11:12 PM

            @rod-it Enabling NAT reflection worked. The reverse proxy is nginx and it does SSL offloading etc. for my nextcloud instance so I can't point the split DNS directly to the nextcloud instance.

            I figured that it may be a problem with the web gui of pfSense listening on those ports so I may update that and then try the split DNS again later to disable NAT reflection.

            V 1 Reply Last reply Dec 26, 2020, 8:33 AM Reply Quote 0
            • R
              Rod-It
              last edited by Dec 25, 2020, 11:15 PM

              I use HA Proxy on Pfsense and do SSL offloading, but i use internal DNS for internal clients, so i can point internal traffic directly to NextCloud and external traffic at HA.

              I'm not sure i see a benefit to pointing everything at the proxy for internal traffic.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann @tabmow
                last edited by Dec 26, 2020, 8:33 AM

                @tabmow said in Port Redirection internal vs external:

                I figured that it may be a problem with the web gui of pfSense listening on those ports

                Because of this reason we have our pfSense web configurator listening to other ports then these ones which are used in NAT rules.
                You can change it in the advanced settings.

                T 1 Reply Last reply Jan 1, 2021, 5:50 PM Reply Quote 0
                • T
                  tabmow @viragomann
                  last edited by Jan 1, 2021, 5:50 PM

                  @viragomann I ended up switching to the pfSense haproxy module and it works a treat. Don't need those NAT rules anymore and I can remove one of my jails, win-win!

                  R 1 Reply Last reply Jan 1, 2021, 8:41 PM Reply Quote 0
                  • R
                    Rod-It @tabmow
                    last edited by Jan 1, 2021, 8:41 PM

                    @tabmow

                    It's really easy to use, which is why i opted to use it myself, i also don't need another VM or Docker container running when the PfSense box can do this along with the LE certs

                    Do keep in mind HA only works at TCP level, so if you wanted to proxy anything non HTTPS, you might have issues

                    1 Reply Last reply Reply Quote 1
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received