Access to external virtual IP from LAN

itob · May 10, 2023, 9:54 AM

Hello,
i configured a 1:1 NAT from a virtual IP-adress on the pfsense WAN to a local adress for access to the telphone system in the LAN.
It can be reached externally. That is OK.
Can I reach the externel virtual IP-adress from the LAN also? Do I need a firewall rule for this access?
I need the same IP address internally and externally for the configuration.
Thank you.
Tobias

viragomann · May 10, 2023, 11:11 AM

@itob
Enable NAT reflection in the NAT rule.
Additionally you need a firewall rule, which allow access to the internal IP of the forwarding.

itob · May 15, 2023, 1:13 PM

I have set the NAT reflection to Enabled in the NAT 1:1 entry and create an Firewall Rule in LAN_1 from LAN1 net to the external virtuel IP 10.2.19.61 any.
I do not get a connection.
Where is my mistake?

viragomann · May 15, 2023, 1:32 PM

@itob
You need to allow access to the internal destination address in the rule.

The NAT 1:1 only forwards traffic on WAN to the internal IP. With NAT reflection also traffic on other interfaces is forwarded.
But you need to permit the access by a pass rule on both interfaces. Once on WAN and for NAT reflection also on the internal interface you want allow it.

itob · May 16, 2023, 7:43 AM

It does not function. Where is my problem?

The "WAN1-FV" IP of the pfsense is: 10.2.19.3/24
I have configure a virtual IP: 10.2.19.61/32

The LAN _1 IP of the pfsense is: 172.16.11.80/16

an 1:1 NAT from WAN1_FV external IP:10.2.19.61 to single Host 172.16.11.61, destination: Any, NAT reflection: Enable

An Firewall Rule on WAN1_FV, source: special external IPs, destination: single host: 172.16.11.61. - it is working.

I have generated this rules for a test:
LAN1:
any to 172.16.11.61
any to 10.2.19.61
WAN1_FV:
any to 172.16.11.61
any to 10.2.19.61
but the connection from LAN is not working.

Can you help me?

viragomann · May 16, 2023, 10:01 AM

@itob
And your LAN device tries to access 10.2.19.61?
This IP is private, so I assume that there is a router in front of pfSense, forwarding the traffic. And I suspect that the LAN device tries to access the public IP of the outer router.

If this is the case, NAT reflection on pfsense would not help, you would need to do this on the outer router.

itob · May 16, 2023, 11:31 AM

My notebook 172.16.12.32 is in the same LAN as the telephone system 172.16.11.61 on the LAN_1 of the pfsense.
An direct access to 172.16.11.61 is possible.

The WAN1-FV of the pfsense 10.2.19.3 and the virtuall IP 10.2.19.61/32 is connected to an upstream UTM. It is possible to dial into this network from outside via VPN.
From there I can access the telephone systeme via 10.2.19.61.

Now I would like to access the telephone systeme with the same device within the LAN with the same IP 10.2.19.61.

The UTM is managed by an external security company.

Do you understand my problem?

viragomann · May 16, 2023, 12:33 PM

@itob said in Access to external virtual IP from LAN:

It is possible to dial into this network from outside via VPN.
From there I can access the telephone systeme via 10.2.19.61.
Now I would like to access the telephone systeme with the same device within the LAN with the same IP 10.2.19.61.

So you agree, that you access 10.2.19.61 from outside and inside as well?

Basically this should work with NAT reflection. However, you will need to masquerade forwarded packets.

Go to System > Advanced > Firewall & NAT and enable both options:

Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection

You possibly can set back the NAT reflection mode in the NAT rule to "system defaults".

Consider that with this settings the telephone system will see the LAN interface IP of pfSense as the source, when accessing it.

itob · May 16, 2023, 1:29 PM

Thank you. Now the connection works.
It was still missing the outbound NAT for Reflection.
I have to test the telephony now. ;-)