Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route LAN to WAN/DMZ IP address?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dsteel0
      last edited by

      Hey all,

      I'm slowly getting my head around PFSense 1.2 RC3 (which I assume is 1.2.3? The "Versions page makes no mention of 1.2 RC3), but I have a couple of questions, if I may:

      1. We have a web address, which resolves to a Virtual IP, which is port forwarded to a web server on our DMZ. I've set it up so we can see the DMZ from our LAN, which is fine - we can browse to the web server using it's DMZ private address. However, it would be good if I could use the FQDN to browse to the web server from inside the network. Since this resolves to a Virtual IP, I can't access it this way. I don't seem to be able to see any of the WAN IP addresses from the LAN. From most firewalls I've worked with, this is normal behaviour, but without messing around with DNS inside our LAN, any suggestions on which rules/routes I might need to get a response from this Virtual (public) IP from our LAN?

      2. At the moment, I have a rule which says allow source:lan destination :any. I will be tying this down - but it seems that when I make the rule allow source:lan and destination:wan address, internet access stops. What am I doing wrong? Obviously, when I tie this down, I'll want rules that say allow source:lan destination:wan port:whateverIneed. For instance, I don't want a rule that says
        allow port:53 source:lan destination:any
        because that will leave port 53 open from the LAN to the DMZ. Not necessarily a huge risk, but how do I tie down these outbound rules to say source:lan destination:internet?

      Anyway, hope these make sense - thanks in advance.

      dsteel0

      1 Reply Last reply Reply Quote 0
      • G
        Gob
        last edited by

        hi

        1. you have two options here… either enable nat reflection in the advanced configuration, or use a split dns. the pfsense dns forwarder is very  handy for the split dns.

        2. the wan addres means just the wan interface. for internet addresses you must use 'any' as the destination.  use in conjunction with block rules for specific restrictions. the NOT option is also handy.

        gordon

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • D
          dsteel0
          last edited by

          Gob,

          Thanks for the reply. I enabled reflection and it works like a charm! I don't know how I didn't see this before.

          I guess if internet addresses must use destination:any, then "not" rules will be the way to go to block off unwanted ports. Thanks for the advice.

          Many thanks for taking the time to get back to me.

          Cheers,
          dsteel0

          1 Reply Last reply Reply Quote 0
          • G
            Gob
            last edited by

            No problem.

            a word of warning… I have had some strange effects using NAT reflection with port forwarding, VPNs and Multiple WANs.
            If you see anything odd happening that doesn't make sense, try disabling the NAT reflection first.

            If I fix one more thing than I break in a day, it's a good day!

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              @dsteel0:

              Hey all,

              I'm slowly getting my head around PFSense 1.2 RC3 (which I assume is 1.2.3? The "Versions page makes no mention of 1.2 RC3), but I have a couple of questions, if I may:

              RC versions are release candidate versions,  all of them old and outdated by now and not recommended for normal use unless there's a good reason for using them. 1.2.3 is the latest official release of pfSense.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.