Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Identical!! access and filtering towards a local server, for internet located clients as for local clients

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 458 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis2
      last edited by louis2

      Hello,

      I have a server running multiple services within my own network. Those services are accessible via IPV4 and IPV6.

      What I would like to archive is that a call from inside my local network towards my local-servers, is handled "exactly" like a call coming from the internet.

      To archive that call's towards my (single) IPV4-address and the IPV6-address I use for my public accessible servers, should be routed towards the firewall as if they where arriving from the internet.

      When

      1. a call towards a server arrives from the internet or
      2. a call from the local-network but rerouted to look like arriving from the internet

      at the firewall, the firewall / pfSense should tread those calls equally.

      pfSense should, forward the calls to the appropriate servers or block them, whatever is defined.
      In case of IPV4 there is also NAT since the external IPV4-address needs to be translated to the local server-address(es)

      The server will send responses and those responses should be routed back to the clients on internet ..... or the local clients (in one of the local vlans)

      Big question is how to archive this behavior !!

      Issues to solve:

      • route IPV6-public addresses back to the pfSense "wan-interface"
      • same for my public IPV4-address(es)
      • to take care that the firewall is handling the rerouted calls like they where coming from the internet
      • take care that the server answers are routed back towards the local clients correctly
      • take care of the needed NAT-translations

      Not so easy I think, however I am sure it has been done before, since business networks will face this kind of problems (perhaps solving the problem by cascading firewalls).

      Hopefully "the community" can help me to solve this issue, preferable using only one pfSense firewall :)

      Sincerely,

      Louis

      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @louis2
        last edited by

        Why do the the nonsense of nat reflection.

        Just put the server on a vlan that is different than where your users are, and you can put whatever rules you want to be allowed or not allowed to talk to these servers.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        L 1 Reply Last reply Reply Quote 0
        • L
          louis2 @johnpoz
          last edited by

          @johnpoz

          Note that there are e.g. public DNS-rules are pointing to the different provided services and that local-clients will query a public DNS, what at least in case of IPV4 will lead to my public IP-V4 address and not the addresses of the local services.

          Not to mention, that I do not like to "multiply" the number of rules (and maintain them). be aware that, apart from floating rules, is filtering on traffic leaving a vlan and not on what is entering a vlan! 😢

          And Yep, you are right assuming that servers and clients are in different vlan's.

          Louis

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @louis2
            last edited by johnpoz

            Well if you have clients resolving the public IP. Because they are using public dns.. Place the rules you want to limit this nat reflection in your floating tab, so you can use it both as your wan rule and your lan rules.. For example port xyz is allowed via your nat setup.. But port abc is not allowed..

            But if your nat reflections are not setup, users wouldn't be able to access the resources anyway using the wan IP.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @louis2
              last edited by

              @louis2 said in Identical!! access and filtering towards a local server, for internet located clients as for local clients:

              is handled "exactly" like a call coming from the internet.

              The most simple solution is probably : Not inviting the Internet in your own local infrastructure.
              Use a VPS (or cloud thing, whatever they call it these days), somewhere in a data center. The cost will close to nothing these days.
              Internet clients -and your access, will be guaranteed treated equally. You'll have nothing to do to enforce this.

              Another solution : use a second ISP, so your local servers have their own WAN IP, and you access them just like the other clients.

              Both propositions don't need any fancy setup.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.