Force local traffic out of WAN
-
Hi all,
I have a pfSense box setup with multiple VLANs. One of those VLANs is a guest network which is walled off from the rest of my network. It is only allowed access to DNS and the internet.
I am wanting to allow clients on this guest network to access some network resources on another VLAN (via a FQDN), however I want to make it so that it must pass out into the internet, and then back in via the WAN again (if that makes sense). That way it must pass the firewall rules specified on the WAN interface - rather than 'shortcut' through the firewall. (I am not concerned about performance, as it will be low bandwidth, and irregular data transfer.)
At present, any attempts to connect are refused as they are blocked at the firewall (I have Pure NAT enabled)
I think this can be achieved through NAT, although I'm unsure how to do it.
Any guidance would be appreciated.
Cheers
-
@theskelly said in Force local traffic out of WAN:
then back in via the WAN again (if that makes sense)
Nope makes no sense at all..
If you want to allow vlan X to access vlan Y - then allow it with a simple firewall rule..
-
@johnpoz thanks for the input :) And I would agree with you in most cases.
However, in this particular instance I'm hoping to avoid 'poking holes' in the firewall. My thinking here is (for a Plex server as an example) - anyone outside of my LAN can access my Plex server via the internet... so why can't I force those on my guest network to do the same? NAT reflection is cool, and is brilliant in 99.95% of cases, however in this instance I'd like to boot the traffic out and then have it come back in again.
Are there any reasonable way of making my dream come true?
-
If they are resolving the internet IP address then wouldn't pfSense route the traffic to the WAN interface then to where a port forward rule sends it? In some other routers it is called hairpin. Not sure about pfSense.
-
@theskelly said in Force local traffic out of WAN:
NAT reflection is cool, and is brilliant in 99.95% of cases
Nat reflection is an abomination to all things networking.. Period!
There are times where it is a work around to something else that is messed up.. Like hard coded IPs, or client not using internal dns, and can only resolve the public IP..
But you bouncing off your public IP because you think its more secure?? Makes no sense at all
-
@johnpoz Ah, I didn't mean to include the word 'Reflection' there - I was meaning the idea of keeping the traffic internal in that statement (which shows I needed to beef up my understanding a bit more!). After doing some more research, I tend to agree that reflection is perhaps not the best idea.
Something for me to think a bit more about. Thanks for the input as well @AndyRH - it has helped to direct my research