How to subject traffic on the same subnet to NAT rules?
-
I have a server and some clients on the same subnet on my LAN.
The server has multiple services running with each on a unique port.
The server also has Nginx Proxy Manager set up on it to take care of making the names look nice.
I'm using split DNS and pointing the host names to the NPM.This is working fine from the public, and from the other subnets on my LAN, but the clients on the same subnet are not getting the proper results. I understand it's because that traffic is not hitting the FW, so it's not NATing correctly.
I found this article, but don't know enough to translate it's steps into a usable solution on pfSense.
Port forwarding inside local networkI also have another server directly connected to the pf box on its own subnet and obviously that one works fine serving the same types of services. I have a Mokerlink 8 port managed switch that is VLAN capable. If it's possible to set up 3 of its ports to only pass traffic between themselves and up to the pf box, I'd be okay going that way too. But I don't know enough about VLANs to make that work without some handholding there either.
If there's another solution that doesn't involve buying more hardware, I'm all ears/eyes.
I'm very grateful for all the help I've gotten here in the past and I hope I can get some good advice on this issue.
-
@tknospdr If you do split-DNS you don't have to NAT. Maybe you do NAT Reflection? Try if disabling this would help.
-
@Bob-Dig
Server @ 192.168.2.2 hosting:
TrueNAS web gui : 60443
Collabora : 9980
NextCloud : 40443
Nginx PM : 443Server @ 192.168.4.14 hosting:
TrueNAS web gui : 443
Plex : 32400int - 32907ext
Portainer : 31015
Preroll Plus : 4949
Wordpress : 30040int - 80ext
Xwiki : 8080pfSense @ 192.168.2.1 : 443
Mokerlink switch @ 192.168.2.254 : 80
AT&T ONT @ 192.168.1.254 : 80
Synology rt6600ax @ 10.100.10.9 : 8001
Fiber to ONT > ONT to pfSense WAN0
pf LAN1 > Mokerlink > wired network including the 2.2 server
pf LAN2 > 4.14 server direct connect
pf LAN3 > Synology wifi router > wifi networksHow would you set things up so that you have the same experience both internally and externally for the following set of host/domain names?
192.168.2.2:
macmini.technospider.com points to the web gui
macmini.technospider.com:9980 points to the collabora service
nc.technospider.com points to Nextcloud service
nginx.technospider.com points to NPM192.168.4.14:
macbookpro.technospider.com points to web gui
plex.technospider.com points to plex service
portainer.technospider.com points to portainer service
preroll.technospider.com points to preroll plus service
wordpress.technospider.com points to wordpress service
checkin.technospider.com points to xwiki service
xwiki technospider.com points to xwiki servicepfsense.technospider.com
mokerlink.technospider.com
ont.technospider.com
rt6600ax.technospider.com
The mokerlink and ont don't have a way to host their own certificates so they need to go through the NPM in order to be served securely.
-
@tknospdr said in How to subject traffic on the same subnet to NAT rules?:
How would you set things up so that you have the same experience both internally and externally for the following set of host/domain names?
For me it is working. I have NPM as a docker container. It can serve towards other docker containers on the same host and towards other machines elsewhere. I don't use NAT reflection. But my setup might be slightly different than yours. Maybe others have an idea.
-
Alright, I'm not sure what I did wrong the first time, but I tore down everything and started over and it seems to all be working this time.
The only thing I did different was that the first time I had the proxy manager listening on port 30200 and then had to port forward 443 to 30200 in pf.
I did this due to threads on the TrueNAS saying that it's GUI needed to stay on the default ports in order for replication tasks to work correctly.
This time I put the PM on the default ports and figured out how to get the replication tasks working on higher ports.¯\_(ツ)_/¯ -
I have one new issue since rebuilding. Plex no longer is accessible from outside the local network. I didn't change the ports it was listening on, I didn't change the FW rules forwarding traffic to it. I didn't change the ACL that nginx was using to allow access.
It's got to be something internal to the way I laid out my internal network that's blocking the path somewhere along the way.
Any idea's how to troubleshoot that to find the kink in the hose? -
Alright, that was an easier fix than I thought.
After I thought about it for a few minutes, I realized that since I moved the proxy manager to another subnet I had to choose it in the UPnP service in pf too.