Servers behind firewall cannot access other servers behind firewall
xenotel last edited by
I have a strange problem and I am sure its me.
I have a pfSense firewall with LAN and WAN connections. The LAN connection terminates in the switch as well as 3 UNIX servers also terminate in the switch. They have one LAN card and get their IP from pfSense as DHCP clients. I have their external IPs set up as Virtual IPs and 1:1 NATing from External to Internal IP with associated rules to allow various ports access to the servers.
This all works fine from external to the firewall but when I try to SSH from one backend server to the other using the external address or domain name, the connection is answered by pfSense's SSH daemon. It seems like pfSense doesn't know I am trying to route through it back to the servers behind it.
Any help - I have been fighting this for weeks.
"I try to SSH from one backend server to the other using the external address or domain name, the connection is answered by pfSense's SSH daemon"
Well why and the hell would you do that?? Access them via their private IPs or local private names. Why access them off external IP just to be forwarded back inside when if you used local IP or local name resolution you wouldn't even talk to pfsense and would it would just be a switched connection.
I have never understood why someone would ever want to bounce of something there is no reason too..
But if you have your heart set on using external names and don't want to do it the correct way where they would resolve to local IPs since your local - then turn on nat reflection.
xenotel last edited by
I have seen your replies like this in other posts.. And I am grateful for your answer but not the tone. I would agree that connecting to the servers behind the firewall work with private IPs just fine. Sometimes applications are connecting to services locally but those services may be failed over to another data center from time to time. I wanted prevent a lot of reconfiguration and I would prefer to use the external routing whether the other server is local or not. I think the question was valid when considering that we are all learning every day and doing our best trying to manage a business, work on routers, code an application and take out the trash.
Again - thanks for the reply.
craigduff last edited by
Have you tried enabling the loop back configuation, to allow using External Ips?