server from LAN can't access themself via Virtual IP on WAN interface
-
Good day
pfSense 2.4.4-RELEASE-p3, two interfaces WAN 1.2.3.1 and LAN 5.6.7.1. Default NAT rule for all traffic from LAN via WAN IP. In LAN subnet there is server 5.6.7.2 with Jira service, port TCP 8080. This service worldvide available via Virtual IP 1.2.3.2 and NAT rule. It working fine for external clients, but when server 5.6.7.2 try access itself by IP 1.2.3.2:8080, connection fails by timeout. I see in firewall monitor allowed connection LAN 5.6.7.2:xxxxx to 1.2.3.2:8080 and that's all. What may be the reason of this behavior?
One more strange thing - server successfully pings themself by 1.2.3.2 desprite that ICMP doesn't allowed on both WAN and Virtual IP.
-
@evgeniysk said in server from LAN can't access themself via Virtual IP on WAN interface:
In LAN subnet there is server 5.6.7.2 with Jira service, port TCP 8080. This service worldvide available via Virtual IP 1.2.3.2 and NAT rule. It working fine for external clients, but when server 5.6.7.2 try access itself by IP 1.2.3.2:8080, connection fails by timeout.
This is the default behavior on NAT routers.
If you're using a local DNS add an override for the server.
@evgeniysk said in server from LAN can't access themself via Virtual IP on WAN interface:
One more strange thing - server successfully pings themself by 1.2.3.2 desprite that ICMP doesn't allowed on both WAN and Virtual IP.
Ping to its own IP doesn't pass pfSense. So the rules won't have any effect.
-
@viragomann said in server from LAN can't access themself via Virtual IP on WAN interface:
This is the default behavior on NAT routers.
If you're using a local DNS add an override for the server.Ok, is it possible to change this behavior?Thanks for DNS overrive idea, but server using request by IP so it isn't solution for us.
Server pings itself by public IP, that configured on pfSense, so traffic must flow through it some way.
-
@evgeniysk said in server from LAN can't access themself via Virtual IP on WAN interface:
Ok, is it possible to change this behavior?
Yes, with NAT reflection. That means that a NAT rule on an specific interface (mostly WAN) is also implicitly applied on other interfaces. Not preferred, but there is no other option, it's a way to go.
You can activate it either in the respective NAT rule (at the bottom) or globally in System > Advanced > Firewall & NAT.
You can try the pure NAT mode, but if the server needs to access himself you possibly need the proxy mode.@evgeniysk said in server from LAN can't access themself via Virtual IP on WAN interface:
Server pings itself by public IP, that configured on pfSense, so traffic must flow through it some way.
Without a NAT rule for ICMP + reflection, there is no possibility for the server to ping himself by using the public IP. You may be able ping the public IP though from the server, but this is owned by pfSense, so the firewall might response to such pings.
You may sniff the traffic on the internal pfSense interfaces to verify. If the server himself respond to the ping, you would see the packet twice, one time from server to pfSense and a second time back to the server.