Internal clients accessing virtual IP



  • Dear Friends,

    My office's firewall was broken then I've just downloaded and installed psSense.  I got it setup for Internet access and virtual IP addresses for myinternal servers within 5-6 hours by mainly guessing the setup through the WebGUI.  I mean the interface is just reasonable easy and I think this is a great software and I'm planning to replace my old firewall box with psSense but on another hardware box.  (I'm currently running psSense on a virtual machine along with my other servers).  Thanks for developing this great software.

    My configuration.

    My psSense is setup at address x.x.x.206 (my public IP, hidden for security)
    I have a server connected to LAN side IP=192.168.1.7/24
    I setup a vip x.x.x.203 (The first 3 x are the same as my psSense virtual box)
    I setup NAT 1-1 from x.x.x.203 > 192.168.1.7
    I setup a firewall rule (Proto=TCP,Source=,Port=,Destination=192.168.1.7,Port=80,Gateway=*).

    A user from Internet can access my web server without any problem.
    But user from LAN cannot access this web server via IP x.x.x.203.

    What setup/rule I've missed? Please advice.

    Thanks in advance.
    Tony.



  • You'll find a feature called "nat reflection" at system>advanced (very bottom) which is by default disabled. This does exactly do what you are asking for. However it will only work for portforwards, not for 1:1 nats. As you only seem to need one port (HTTP/80) I recommend changing the 1:1 NAT to a portforward instead. Then natreflection will work fine. You usually don't need an outbound nat mapping for this as the generated state will take care of this. If you for some reason have to map the server outgoing to the public IP (traffic that is not generated by incoming requests) you can do so by enabling advanced outbound nat and adding a rule at firewall>nat, outbound (but for a pure webserver answering incoming requests as I said it's not needed).



  • Thanks Hoba,
    I enabled "NAT Reflection" then added the Port forwarding as you said and it just works!!!
    Then I think I don't need my old firewall box again.

    Thanks again to all psSense team.  Let me know if there's anything you think I can help.
    Tony.


Log in to reply