Enabling loopback functionalty



  • How do I enable loopback functionality in pfsense?

    Let's say I have a media server that can be accessed by typing http://192.168.1.210:port/ from the LAN side. I setup a NAT port forwarding rule for that so that I can access it from outside the LAN by using http://external_ip:port/ . When I'm typing http://external_ip:port/ from inside the LAN though, I cannot access the server. This is a loopback problem, right?



  • In a word "No"

    loopback is a virtual nic implemented in software. Any address in the 127.0.0.0/8 is a loopback address and is pingable only on the host. In PFSense we bind some programs to the loopback such as TinyDNS for security reasons.

    Packet capture is your friend. If you download Wireshark and do a packet capture on the firewall you can pull the file off the firewall and play it back on your PC to see exactly what is happening. There are some good beginners guides to Wireshark on youtube and it is a tool that if you do any network fault finding you really should be able to use.





  • I really should make sure I've had a second morning coffee before posting. I completely missed the bit about accessing the external address from inside the LAN  ;D



  • @cmb:

    Reflection is what you're looking for.
    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    Is there a disadvantage of using NAT reflection though?



  • Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.



  • @Gloom:

    Not really. Unless you are sending lots of users out and back in and then it's more of a is the hardware up to it as reflection does increase the load per connection slightly.

    Ah ok. And in that case, split-DNS would be the better choice?



  • IMO if you have the possibility to use split DNS, you should use it.
    It works even if your WAN is down.



  • @GruensFroeschli:

    IMO if you have the possibility to use split DNS, you should use it.
    It works even if your WAN is down.

    Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?



  • Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
    No need to alter the public DNS server if you are running one.

    Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)



  • @Gloom:

    Easiest way is to have an internal DNS server for the LAN that has your domain servers listed using their internal IPs and add a rule to the firewall to allow it to query an upstream server for other domains. It can be on the PFSense box.
    No need to alter the public DNS server if you are running one.

    Obviously you also need a rule to allow LAN traffic into the DMZ (If that is where they are hosted and best practice says that is where they should be)

    I actually use pfsense as my local DNS server for my LAN clients. Hmmm, not sure how to implement what you mentioned. Is it the same as split-DNS?



  • @kevindd992002:

    @GruensFroeschli:

    IMO if you have the possibility to use split DNS, you should use it.
    It works even if your WAN is down.

    Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

    If you have different internal servers but only one external name: They can't all have the same name.
    If that is a requirement then you will have to go the NAT reflection way.

    I for myself would set it up a like this:
    teamspeak.domain.com
    mail.domain.com
    gallery.domain.com
    etc.
    From external they resolve all to the same ip (your WAN).
    Internally they would all resolve to their respective server.

    The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
    Go to "Services: DNS forwarder"
    Add in the "Host Overrides" list below your domains you want to redirect locally.

    (example from my home-setup:
    m may.nu  10.0.8.210
    webserver m.may.nu  10.0.8.210
    m.may.nu  10.0.8.220
    owncloud  m.may.nu  10.0.8.220
    files  m.may.nu  10.0.8.230



  • @GruensFroeschli:

    @kevindd992002:

    @GruensFroeschli:

    IMO if you have the possibility to use split DNS, you should use it.
    It works even if your WAN is down.

    Hmm, ok. I kinda don't understand the one explained in the link. What if I have a single WAN and different internal IP address that I want to setup a split-DNS to? Should I specify the same Host and Domain name for multiple split-DNS entries?

    If you have different internal servers but only one external name: They can't all have the same name.
    If that is a requirement then you will have to go the NAT reflection way.

    I for myself would set it up a like this:
    teamspeak.domain.com
    mail.domain.com
    gallery.domain.com
    etc.
    From external they resolve all to the same ip (your WAN).
    Internally they would all resolve to their respective server.

    The easiest way to achieve this: make sure all your clients use the pfSense as DNS-server.
    Go to "Services: DNS forwarder"
    Add in the "Host Overrides" list below your domains you want to redirect locally.

    (example from my home-setup:
    m may.nu  10.0.8.210
    webserver m.may.nu  10.0.8.210
    m.may.nu  10.0.8.220
    owncloud  m.may.nu  10.0.8.220
    files  m.may.nu  10.0.8.230

    Ahh, makes sense. So I have to make multiple dynamic DNS entries for each internal server.

    I did try to use NAT reflection and it worked. What is its disadvantage compared to split-DNS?



  • Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
    Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

    I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.



  • @Gloom:

    Split DNS gives you direct wire speed access to your internal servers (I'm guessing your internal network is running a minimum 100 Mb links but your WAN connection is 10Mb). Makes trouble shooting connections much easier and causes less load on the firewall(s)
    Reflection is fine for home use or small offices but is not really a goer for anything over a dozen users. I you have an internal DNS server it's just a case of altering your IP from the WAN address to the internal addresses.

    I've no idea how you've got your external DNS setup but all you need to do is give all of them the external WAN IP which is what I assume you have now and let the different port based NATs sort out which server gets it.

    Ah ok, I understand. This is only for a small home setup so I guess I'd be better off to just enable NAT reflection. Thanks!


Locked