NAT port forwarding by localhost

Soloam

I have a service that I'm making port forwarding from the Wan no my local network! I need to access this service in the Wan port because it needs to assume the public IP! I activated NAT reflection on the rule and now I can access the service from all my pcs on the network, and it works! The problem is Pfsense! I need it to access the service from the localhost, but it seams it's falling. I keep getting connection refused and if looks like it's not assuming the NAT!

Is there a reason to my localhost not assuming the NAT port forwarding on my Wan interface! I basically what to access the service as I was outside of my home!

Thank you!

johnpoz

@Soloam if you forward it to loopback, the service would need to be running on loopback.. What specific services are you running on pfsense. That you want to allow remote access to?

I send traffic to loopback on a port that haproxy listens on. But use the port share feature in openvpn, if its not openvpn traffic it sends it to 127.0.0.1:9443 that my haproxy listens on and sends to a webserver behind pfsense.

Or is it you want pfsense to hit its loopback and be sent to this client behind pfsense?

Soloam

Hello @johnpoz thank you for the replay!

I called it service and probably it was not the best nadme! The service is not a pfsense service, but a service running on another machine on my network, on this case it's a DERP relay for a tailscale network, that I'm running on another machine.

I'm forwarding the Wan port 9443 to the machine ip on that port. If I do this from another machine it works, from outside and inside my home! But pfsense fails.

Thank you

SteveITS

@Soloam I don’t know why you would need or want to connect to anything on pfSense itself, however, you might try a host override instead of port forwarding.

https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#nat-splitdns

johnpoz

Exactly - nat reflection is a horrible solution to a specific sort of problem.. Where your client behind pfsense is not using your local dns or has your wan IP hard coded in what its trying to access.

If you want pfsense to access some resource on your local network - why would you not resolve some fqdn to the IP, or use the local IP to get to the service.

As to tailscale - why would you not just run that on pfsense directly? Running any sort of vpn inside your edge device can be problematic - asymmetrical routing comes to mind, along with hairpinning of traffic flow for no real reason, etc.

Soloam

Let me see if I can explain my proble... I'm running tailscale in PfSente (in the end that is the main problem). I'm alo running on my network Headscale (a open source self hosted aleternative to pfsense servers) and also a DERP Relay serve self hosted, to use my own replay server and decentrelize from Tailscale servers.

DERP Relays servers when configured on Tailscale clients, need to be accessed directly from the public IP, so it can know all the public IP's to rout the traffic. This roules out making split DNS and accessing the DERP server by local IP address... Tried it and it says that the range of ip's is not valid. So I need to access the DERP server making my local service "belive" that the connection is form the public IP.

If I access it from outside my home the NAT forwards the traffic and all works OK... When I'm inside my home I need to access it bu the wan interface, and this works with the NAT Refrection, allowing me to access the WAN interface and "follow" the NAT forwarding rules... This works ok to ALL my devices! But PfSense, that also haves a tailscale client installed, does not seems to be following this forwarding rules! When I it tries to access the WAN interface I have a message saying that it was denied, and this only happens in pfsense, all other devices work.