Reach webserver by public IP from within LAN
-
Hi, I know my question has been asked before so I'm going to spice it up a bit with some extra issues ;)
We use pfSense 1.2.3 and we depend heavily on that version's IPSec's NAT Traversal possibility, which is absent in newer versions, so upgrading is not yet an option.
Our LAN is on subnet 10.0.0.0/24. Clients and servers, also a couple of public server, are all on that same subnet.
We have sixteen public IP addresses and most of those are mapped 1:1 to public servers, for example 123.123.123.101 is mapped to mailserver 10.0.0.101 and 123.123.123.102 is mapped to webserver 10.0.0.102. The servers are mapped 1:1 because we like to be able to ping them from the internet in order to check if they're online. I know there are alternatives to that and we use most of them. We'd like to stick to 1:1.Our users connect to our webserver's public IP when they're at home, then come in to the office and try to connect to it again but then it doesn't work. It doesn't because they're sent to the server's public IP address, which is unreachable from the LAN.
I work around this by adding the site's DNS to our local DNS server and having the users flush their dns caches when they can't connect. This works fine for most users for most of the time. However - I would really like to have pfSense redirect traffic from the LAN to our server's public IP to the server's internal IP address.
This is what I have tried:
- unchecked System > Advanced > Disable NAT Reflection
- Firewall: NAT: Port Forward - played around with External Address, NAT IP and the Interface setting
- Firewall: NAT: Outbound - set Manual Outbound NAT rule generation
- Firewall: NAT: Outbound - tried different combinations of settings to create rules
I'm not sure if the Disable NAT Reflection checkbox influences the other three options so I tried everything with Disable NAT Reflection on and then with Disable NAT Reflection off.
Once I did get the server to respond to its public IP address from within the LAN (I created a port forward rule using port 80) but then our site was the only site still reachable, i.e. we couldn't get to any other sites on the internet :P
It seems there aren't enough options in pfSense's web interface to set all the things I need.
My questions:
- Am I doing it right?
1a) if not: how should I go about making our webserver available through its public IP from within our LAN?
1b) if I'm doing it right and my conclusion is correct (not enough options in web-if) then how can I do it from the command line? I have some experience administring FreeBSD machines, I know how to edit config files with VI, move about in the OS and do basic troubleshooting but that's about it. - are there any plans to make this easier in pfSense?
Like I said I'm using our internal (Active Directory) DNS server to work around the problem, but that only works 90% of the time because of various reasons and I know pfSense is able to provide the correct solution, just can't figure out how to tell that to our pfSense router.
Thanks for taking the time to read this post :)
-
Are those IP addresses selectable when you create a port forward for the WAN connection? If so, try creating port forwards on WAN to those IP addresses when you have NAT reflection enabled. NAT reflection basically works by creating a copy of your WAN port forward as a LAN port forward. You did say that a LAN port forward worked for getting access, but that probably had "any" selected for the external address field.
-
That helped, although I did try that before! Apparently I have not been doing it right. Thank you very much, ShadowFlare!