PfSense "owns" external virtual IP's



  • We have a network with multiple VLANs and some some internal services on a spesific VLAN which are NATted to an external virtual IP. Now the problem is that in this VLAN we have services that need to be used with the external address from within the network also and the result so far is that all requests from internal network to the external addresses are being "hijacked" by pfSense. So far we've been able to go around the problem by using DNS override on pfSense but in the long run we don't feel that this is an appropriate method in the maintenance sense. So basically I'm asking that have we perhaps misconfigured something or if this is an intended feature, is there a more sustainable workaround to get the external addresses working from inside the company also?



  • What you describe is that you set up split DNS to access your internal server with the external IP.

    This is the correct and recommended way to do this.



  • Thanks for your answer.

    Yes, we have different DNS servers hosting our external and internal DNS records. So basically there is no way to connect to the external virtual ip from a LAN address and the correct way to get around this is to use the internal DNS server to host the external DNS records as internal IP addresses, did I get it right?



  • Yes.
    This is due to how NAT works.
    You cannot NAT out the same interface on which packets arrive.

    For normal port forwards you can alternatively use "NAT reflection", although this is kind of an ugly hack.
    You "could" create on top of the 1:1 NAT forwarding, a normal NAT forwarding for the ports you need and enable NAT reflection.
    But i would not recommend it since you're already doing it the proper way.

    More relevant info in the FAQ:
    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
    http://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT%3F


Log in to reply