Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense "owns" external virtual IP's

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      T1mmy
      last edited by

      We have a network with multiple VLANs and some some internal services on a spesific VLAN which are NATted to an external virtual IP. Now the problem is that in this VLAN we have services that need to be used with the external address from within the network also and the result so far is that all requests from internal network to the external addresses are being "hijacked" by pfSense. So far we've been able to go around the problem by using DNS override on pfSense but in the long run we don't feel that this is an appropriate method in the maintenance sense. So basically I'm asking that have we perhaps misconfigured something or if this is an intended feature, is there a more sustainable workaround to get the external addresses working from inside the company also?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        What you describe is that you set up split DNS to access your internal server with the external IP.

        This is the correct and recommended way to do this.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          T1mmy
          last edited by

          Thanks for your answer.

          Yes, we have different DNS servers hosting our external and internal DNS records. So basically there is no way to connect to the external virtual ip from a LAN address and the correct way to get around this is to use the internal DNS server to host the external DNS records as internal IP addresses, did I get it right?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            Yes.
            This is due to how NAT works.
            You cannot NAT out the same interface on which packets arrive.

            For normal port forwards you can alternatively use "NAT reflection", although this is kind of an ugly hack.
            You "could" create on top of the 1:1 NAT forwarding, a normal NAT forwarding for the ports you need and enable NAT reflection.
            But i would not recommend it since you're already doing it the proper way.

            More relevant info in the FAQ:
            http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
            http://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT%3F

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.