Web site on DMZ can't connect from LAN



  • I have just setup a PFSENSE firewall and have almost everything working.

    I have my web site and mail server setup on the DMZ using 1:1 Nat.
    I have the reset of my network on the LAN.

    Everything works from outside when I connect to the DMZ but when connecting from the LAN I can not use the real IP address or domain name (times out).

    I have read a little about NAT reflection I think its called, is this what I need to enable? (It didn't seem to help when I enabled it if this is the answer)
    OR
    Do I need to put my DMZ connections in my DNS server on the LAN?
    OR
    Is there something else I need to do?

    Thanks for any help
    SFM



  • NAT reflection only works for single portforwards and only for portranges less than 500 ports. It doesn't work for 1:1 NAT. Either use a portforward for your DMZ Server instead of a 1:1 NAT or use a Split DNS setup like you already mentioned (make the LAN DNS resolve the Domainname as the internal DMZ IP of the server).



  • Thanks for your quick reply.

    I will give the split DNS setup a try.



  • You may be able to install port forwards on top of the 1;1 for the services you wish to reach from the DMZ.  Give it a try.



  • If I am sitting on the lan and what to go to a server on the DMZ using the real outside ip address.

    Is this possible?

    I know I can use the fake address and get there but is there a setting or something to use real ips on the Lan.

    The reason I ask is because I have a server that is accessed by using the real ip address from outside.
    Users on the LAN are use to using this ip and I would like them to continue using it from the LAN.

    Is this possible?

    Thanks,
    SFM



  • Yes, if you use portforwards and turn on nat reflection at system>advanced. Won't work for 1:1 nats. Maybe my answer above was not clear enough.



  • Can you use a Email Server behind Port Forwarding?

    I have heard there are issues with sending out email using port forwarding because the email message leaves the network under the ip of the firewall and not the ip of the mail server.

    Is this a true statement?

    What reason is there for using 1:1 over Port Forwarding?



  • You can use advanced outbound NAT for this, if you need the emailserver to use a VIP. Basically 1:1 nat is a combination between portforwarding all ports and advanced outbound nat for this host. As you mailserver only needs few ports (maybe even only port 25 to receive and send mail) a portforward with an appropriate advanced outbound rule gives you nat reflection to be used at lan.



  • Thanks for your help,

    I have one last queston:

    "NAT reflection only works for single portforwards and only for portranges less than 500 ports. It doesn't work for 1:1 NAT. Either use a portforward for your DMZ Server instead of a 1:1 NAT or use a Split DNS setup like you already mentioned (make the LAN DNS resolve the Domainname as the internal DMZ IP of the server)."

    When you say "Nat reflection only works for single portforwards" does that mean you have to have a separte rule for every port you want to forward?
    or
    You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server)

    Thanks again,
    SFM



  • @SFM:

    You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server)

    I don't get that part of your question but natreflection will work for all portforwards that you add if the range of the portforward is less than 500 ports.


Locked