Route LAN to WAN/DMZ IP address?

dsteel0

Hey all,

I'm slowly getting my head around PFSense 1.2 RC3 (which I assume is 1.2.3? The "Versions page makes no mention of 1.2 RC3), but I have a couple of questions, if I may:

1. We have a web address, which resolves to a Virtual IP, which is port forwarded to a web server on our DMZ. I've set it up so we can see the DMZ from our LAN, which is fine - we can browse to the web server using it's DMZ private address. However, it would be good if I could use the FQDN to browse to the web server from inside the network. Since this resolves to a Virtual IP, I can't access it this way. I don't seem to be able to see any of the WAN IP addresses from the LAN. From most firewalls I've worked with, this is normal behaviour, but without messing around with DNS inside our LAN, any suggestions on which rules/routes I might need to get a response from this Virtual (public) IP from our LAN?

2. At the moment, I have a rule which says allow source:lan destination :any. I will be tying this down - but it seems that when I make the rule allow source:lan and destination:wan address, internet access stops. What am I doing wrong? Obviously, when I tie this down, I'll want rules that say allow source:lan destination:wan port:whateverIneed. For instance, I don't want a rule that says
   allow port:53 source:lan destination:any
   because that will leave port 53 open from the LAN to the DMZ. Not necessarily a huge risk, but how do I tie down these outbound rules to say source:lan destination:internet?

Anyway, hope these make sense - thanks in advance.

dsteel0

Gob

hi

1. you have two options here… either enable nat reflection in the advanced configuration, or use a split dns. the pfsense dns forwarder is very  handy for the split dns.

2. the wan addres means just the wan interface. for internet addresses you must use 'any' as the destination.  use in conjunction with block rules for specific restrictions. the NOT option is also handy.

gordon

dsteel0

Gob,

Thanks for the reply. I enabled reflection and it works like a charm! I don't know how I didn't see this before.

I guess if internet addresses must use destination:any, then "not" rules will be the way to go to block off unwanted ports. Thanks for the advice.

Many thanks for taking the time to get back to me.

Cheers,
dsteel0

Gob

No problem.

a word of warning… I have had some strange effects using NAT reflection with port forwarding, VPNs and Multiple WANs.
If you see anything odd happening that doesn't make sense, try disabling the NAT reflection first.

kpa

@dsteel0:

Hey all,

I'm slowly getting my head around PFSense 1.2 RC3 (which I assume is 1.2.3? The "Versions page makes no mention of 1.2 RC3), but I have a couple of questions, if I may:

RC versions are release candidate versions,  all of them old and outdated by now and not recommended for normal use unless there's a good reason for using them. 1.2.3 is the latest official release of pfSense.