How can I use public IP's on the LAN?



  • Hi all,

    I have the following question: How can I use public IP's on the LAN?
    I did read the FAQ on this item but I can't get it to work.

    The FAQ states: "you need to disable NAT to use a public IP subnet on the LAN. Just enable Advanced Outbound NAT, and remove the automatically generated NAT rule to accomplish this." Nice, but what do I have to change in the webinterface to get it working…

    I tried changing pfsense behavior in the following places (with no succes):
    1. System \ Advanced: Network Address Translation Disable NAT Reflection Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.
    2. Firewall \ NAT \ Outbound: Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    Lets say my client machine on the LAN wants to access my webserver which is also on the LAN (for now) via the WAN address.
    My WAN address is xyz.dyndns.org and the webserver is NATed to an ip on the LAN (from the outside it is accessible).
    What step do I have to take, so that the client machine can read the webserver via http://xyz.dyndns.org.

    I hope someone can tell me the steps to get this working correctly.

    Regards,
    Joost.



  • Search for reflection.



  • @sullrich:

    Search for reflection.

    Joining the thread.

    I've searched this, but found no working solution.
    My external IP-range is 82...0 /26
    Servers have local IP:s and I'm using 1:1 NAT mapping.
    How can I kind of loop back via rules?

    // Assar

    Update:
    Found a way to override DNS.
    Add servers in "Services/DNS forward".
    This seems to work.

    Could be nice to be able to add a checkbox on 1:1 mapping if adress should be maped or not.



  • @http://forum.pfsense.org/index.php/topic:

    NAT-Reflection does not work with 1:1 NAT
    @http://forum.pfsense.org/index.php?topic=7266.msg41244:

    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.



  • Thanks!
    My workaround seems to work well as long as everybody uses hosts listed in "Services: DNS forwarder".
    I have to instruct developers not to use external IP-adresses.
    This way external IP:s are avoided on LAN.

    // Assar



  • Solution for NAT via Port Forwarding:

    System : Advanced : Network Address Translation
    => Uncheck the box in front of "Disables the automatic creation of NAT redirect rules for
      access to your public IP addresses from within your internal networks. Note: Reflection
      only works on port forward type items and does not work for large ranges > 500 ports."

    Regards,
    Joost.



  • @sullrich:

    Search for reflection.

    Is NAT reflection check box an old feature?



  • It has been around quite some time already and if you search the forum you'll find quite old threads about it too.



  • @hoba:

    It has been around quite some time already and if you search the forum you'll find quite old threads about it too.

    I can not find the check box named reflection. May be I am just getting blind. Please help with the menu name in pfsense 1.2 final release. Thanks.



  • sticky:
    @http://forum.pfsense.org/index.php/topic:

    System:
    Advanced:
    If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"



  • @GruensFroeschli:

    sticky:
    @http://forum.pfsense.org/index.php/topic:

    System:
    Advanced:
    If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"

    Thanks a ton.  I have a public IP mapped to an internal lan IP host/server on port 80.  When my lan machine try to reach this server through the public IP it does not work. It works if I use private IP or when I am trying to reach the server  from outside the firewall.

    If I disable the automatic creation of NAT redirect rules for access to your public IP addresses from within my internal networks, this behavior would disappear?

    Am I on the right track here?



  • I'm not really sure what you mean.
    To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.

    Why would you want to disable the autocreation of NAT rules?



  • @GruensFroeschli:

    I'm not really sure what you mean.
    To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.

    Why would you want to disable the autocreation of NAT rules?

    I am not sure I did… I think disable checkbox "on" is the default pfsense from installation..



  • yes.
    Per default the checkbox is "on".    (meaning no reflection rules will be installed)
    But you have to turn the box "off". (meaning the reflections will be installed)



  • @GruensFroeschli:

    yes.
    Per default the checkbox is "on".    (meaning no reflection rules will be installed)
    But you have to turn the box "off". (meaning the reflections will be installed)

    Thanks - you are a hero!



  • I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

    I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
    This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
    One DNS server for the public network queries, one DNS server for the private network queries.

    Scenario:
    Web server's private IP = 10.10.240.1
    Web server's public IP NAT'd 1-to-1 thru a firewall = 64.216.232.11
    All hosts on the private 10.10.x.x/16 network have 10.10.240.100 as their primary DNS server in their TCP/IP configuration.
    When a host queries for a name resolution, the server either knows it right off the bat because it's cached or because it's authoritative, or it goes directly to Root Hints and finds out.

    Web server's Internet-valid FQDN:  www.mydomain.com

    Desired end result:
    People out on the internet get to web server via http://www.mydomain.com
    People on the private ten-dot LAN want to get the web server with exactly the same name, http://www.mydomain.com

    Tasks:
    1. Create a static zone on the internal DNS server 10.10.240.100 for mydomain.com
    2. Create an A record for www in the mydomain.com zone that resolves to 10.10.240.1
    3. Test your work.
    4. Have a beer, scotch, milk, or whatever it is you enjoy.  ;)



  • @Kris.J:

    I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

    I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
    This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
    One DNS server for the public network queries, one DNS server for the private network queries.

    Scenario:
    Web server's private IP = 10.10.240.1
    Web server's public IP NAT'd 1-to-1 thru a firewall = 64.216.232.11
    All hosts on the private 10.10.x.x/16 network have 10.10.240.100 as their primary DNS server in their TCP/IP configuration.
    When a host queries for a name resolution, the server either knows it right off the bat because it's cached or because it's authoritative, or it goes directly to Root Hints and finds out.

    Web server's Internet-valid FQDN:  www.mydomain.com

    Desired end result:
    People out on the internet get to web server via http://www.mydomain.com
    People on the private ten-dot LAN want to get the web server with exactly the same name, http://www.mydomain.com

    Tasks:
    1. Create a static zone on the internal DNS server 10.10.240.100 for mydomain.com
    2. Create an A record for www in the mydomain.com zone that resolves to 10.10.240.1
    3. Test your work.
    4. Have a beer, scotch, milk, or whatever it is you enjoy.  ;)

    Ah - The joys of Scotch. Its the next best thing since the earlier peg of scotch!!

    I hope you don't mind my writing off the forum because my notes might just be too flooding for people who are guru there.

    1. Pfsense comes with a dns package. Would you think that it will suffice?

    2. My domain is hosted with 1and1 and I am using http redirect to a specific IP, and in such cases, would you say that this solution still holds?

    3. I also have problems when people are trying to reach public IP for example 138.99.151.72:8085. I think there is some disclaimer about ports greater than 500 not working with reflection unless some more recipe is applied..

    Any help will be appreciated.



  • @garg_art2002:

    1. Pfsense comes with a dns package. Would you think that it will suffice?

    2. My domain is hosted with 1and1 and I am using http redirect to a specific IP, and in such cases, would you say that this solution still holds?

    3. I also have problems when people are trying to reach public IP for example 138.99.151.72:8085. I think there is some disclaimer about ports greater than 500 not working with reflection unless some more recipe is applied..

    You can use the dnsforwarder of the pfSense. Just make your local DNS server forward everything it doesn't find to the pfSense and enter that override there.

    Reflection does work for ports  higher 500, just not for portranges(!) greater than 500 ports.



  • 1.  I just took a look at Services:DNS Forwarder in my pfSense box.  It looks like you might could create some records there to intercept LAN name queries.
    a.  a host on the LAN queries for www.mydomain.com
    b.  the DNS server for www.mydomain.com is an internet domain server, say out on 1&1
    c.  pfSense intercepts that query, because DNS Forwarder is turned on and IT is the primary DNS server as far as your LAN host is concerned
    d.  pfSense says "aha!  I have an entry for www.mydomain.com that points back to this IP (on the LAN)"' and gives it to your workstation host.

    In this scenario, public hosts still get the public IP from 1&1, but private hosts - who ask the pfSense box for IPs when doing a DNS query - get whatever records you define there on the DNS Forwarder page.

    2.  I'm not sure by what you mean with the http redirect, etc. - but yes, I think it should still hold.

    3.  Create a name for that IP!  138.99.151.72
    a.  Create a name at 1&1 that services the public network.  eightyeightyfive.yourdomain.com for example, that resolves to 138.99.151.72
    b.  Create a record on pfSense's DNS Forwarder page that will intercept LAN host queries for eightyeightyfive.yourdomain.com - it will NOT give them 138.99.151.72, it will give them whatever the private IP is for that server.



  • @Kris.J:

    1.  I just took a look at Services:DNS Forwarder in my pfSense box.  It looks like you might could create some records there to intercept LAN name queries.
    a.  a host on the LAN queries for www.mydomain.com
    b.  the DNS server for www.mydomain.com is an internet domain server, say out on 1&1
    c.  pfSense intercepts that query, because DNS Forwarder is turned on and IT is the primary DNS server as far as your LAN host is concerned
    d.  pfSense says "aha!  I have an entry for www.mydomain.com that points back to this IP (on the LAN)"' and gives it to your workstation host.

    In this scenario, public hosts still get the public IP from 1&1, but private hosts - who ask the pfSense box for IPs when doing a DNS query - get whatever records you define there on the DNS Forwarder page.

    2.  I'm not sure by what you mean with the http redirect, etc. - but yes, I think it should still hold.

    3.  Create a name for that IP!  138.99.151.72
    a.  Create a name at 1&1 that services the public network.  eightyeightyfive.yourdomain.com for example, that resolves to 138.99.151.72
    b.  Create a record on pfSense's DNS Forwarder page that will intercept LAN host queries for eightyeightyfive.yourdomain.com - it will NOT give them 138.99.151.72, it will give them whatever the private IP is for that server.

    Wow - Kris this is magic and you are such a good explainer.  I am sure you teach well to anyone whio comes for your help in your area,=.

    Many thanks again.  I feel the above explanation could be somewhere in howto..
    My best regards
    Anil Garg



  • I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

    I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
    This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
    One DNS server for the public network queries, one DNS server for the private network queries.

    If you just have a single server, then i agree.
    But i think it just depends on what you are trying to accomplish.
    If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.

    Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.



  • @GruensFroeschli:

    I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

    I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
    This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
    One DNS server for the public network queries, one DNS server for the private network queries.

    If you just have a single server, then i agree.
    But i think it just depends on what you are trying to accomplish.
    If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.

    Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.

    This is a great idea too because in real world, each server has unique primary function.
    Nice idea.



  • Tried all that and unfortunately it is not working for me. I have been using Pfsense for about 2 years now and have very mixed results with getting nat reflection to work ( or at least whatever workaround was popular at the time ). I have Disable NAT reflection unchecked, and I tried the method you listed off adding the domain to the DNS Forwarder. Any help or tips would be greatly appreciated. network looks like this:

    Pfsense –> Apache server:80 (accessible from outside LAN but not from the inside)
              --> other machines

    
    - <pfsense><version>3.0</version> 
      <lastchange><theme>pfsense</theme> 
    - <system><optimization>normal</optimization> 
      <hostname>zenserver</hostname> 
      <domain>zenstudios.blogdns.org</domain> 
      <username>admin</username> 
      <password></password> 
      <timezone>America/Chicago</timezone> 
      <time-update-interval><timeservers>pool.ntp.org</timeservers> 
    - <webgui><protocol>https</protocol> 
      <certificate><private-key></private-key></certificate></webgui> 
    - <ssh><authorizedkeys></authorizedkeys></ssh> 
      <maximumstates><shapertype><dnsallowoverride></dnsallowoverride></shapertype></maximumstates></time-update-interval></system> 
    - <interfaces>- <lan><if>xl0</if> 
      <ipaddr>192.168.1.1</ipaddr> 
      <subnet>24</subnet> 
      <media><mediaopt><bandwidth>100</bandwidth> 
      <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
    - <wan><if>rl0</if> 
      <mtu><media><mediaopt><bandwidth>100</bandwidth> 
      <bandwidthtype>Mb</bandwidthtype> 
      <spoofmac><disableftpproxy><ipaddr>dhcp</ipaddr> 
      <dhcphostname></dhcphostname></disableftpproxy></spoofmac></mediaopt></media></mtu></wan> 
    - <opt1><descr>ZenWireless</descr> 
      <if>ath0</if> 
    - <wireless><standard>11g</standard> 
      <mode>hostap</mode> 
      <protmode>off</protmode> 
      <ssid>Colosodian</ssid> 
      <channel>0</channel> 
      <authmode><txpower>99</txpower> 
      <distance>- <wpa><macaddr_acl><auth_algs>1</auth_algs> 
      <wpa_mode>1</wpa_mode> 
      <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt> 
      <wpa_pairwise>CCMP TKIP</wpa_pairwise> 
      <wpa_group_rekey>60</wpa_group_rekey> 
      <wpa_gmk_rekey>3600</wpa_gmk_rekey> 
      <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa> 
    - <wep><enable>- <key><value></value></key></enable></wep></distance></authmode></wireless> 
      <bridge>lan</bridge> 
      <ipaddr><subnet>32</subnet> 
      <gateway><spoofmac><mtu><enable></enable></mtu></spoofmac></gateway></ipaddr></opt1></interfaces> 
      <staticroutes>- <pppoe><username><password></password></username></pppoe> 
    - <pptp><username><password><local></local></password></username></pptp> 
      <bigpond>- <dyndns><type>dyndns</type> 
      <username><password></password></username></dyndns> 
    - <dhcpd>- <lan><enable>- <range><from>192.168.1.100</from> 
      <to>192.168.1.110</to></range> 
    - <staticmap><mac>00:04:4b:06:f6:4c</mac> 
      <ipaddr>192.168.1.3</ipaddr> 
      <hostname><descr>Tons0fun</descr></hostname></staticmap> 
    - <staticmap><mac>00:15:f2:15:f9:d4</mac> 
      <ipaddr>192.168.1.4</ipaddr> 
      <hostname><descr>Ryo</descr></hostname></staticmap> 
    - <staticmap><mac>00:1b:63:c5:9d:a4</mac> 
      <ipaddr>192.168.1.5</ipaddr> 
      <hostname><descr>Stall</descr></hostname></staticmap> 
    - <staticmap><mac>00:11:5b:ac:5a:24</mac> 
      <ipaddr>192.168.1.6</ipaddr> 
      <hostname><descr>Demon</descr></hostname></staticmap> 
    - <staticmap><mac>00:13:8f:49:9d:a8</mac> 
      <ipaddr>192.168.1.7</ipaddr> 
      <hostname><descr>Zen Server</descr></hostname></staticmap> 
      <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd> 
    - <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
      <ovpn>- <dnsmasq><enable>- <hosts><host>zenstudios.blogdns.org</host> 
      <domain>zenstudios.blogdns.org</domain> 
      <ip>192.168.1.3</ip> 
      <descr>Zen Server Website</descr></hosts></enable></dnsmasq> 
    - <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
    - <diag><ipv6nat></ipv6nat></diag> 
      <bridge><syslog>- <nat>- <ipsecpassthru><enable></enable></ipsecpassthru> 
    - <rule><protocol>tcp/udp</protocol> 
      <external-port>50511</external-port> 
      <target>192.168.1.3</target> 
      <local-port>50511</local-port> 
      <interface>wan</interface> 
      <descr>Tons0fun's Bittorrent</descr></rule> 
    - <rule><protocol>tcp/udp</protocol> 
      <external-port>80</external-port> 
      <target>192.168.1.3</target> 
      <local-port>80</local-port> 
      <interface>wan</interface> 
      <descr>Apache Zen Server</descr></rule> 
      <advancedoutbound></advancedoutbound></nat> 
    - <filter>- <rule><interface>wan</interface> 
      <protocol>tcp/udp</protocol> 
    - <source>
      <any>- <destination><address>192.168.1.3</address>
    
      <port>50511</port></destination> 
      <descr>NAT Tons0fun's Bittorrent</descr></any></rule> 
    - <rule><type>pass</type> 
      <interface>opt1</interface> 
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> 
      <os><protocol>tcp/udp</protocol> 
    - <source>
      <any>- <destination><any></any></destination> 
      <descr>Allow Wireless Connections</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    - <rule><type>pass</type> 
      <descr>Default LAN -> any</descr> 
      <interface>lan</interface> 
    - <source>
      <network>lan</network> 
    
    - <destination><any></any></destination></rule> 
    - <rule><interface>wan</interface> 
      <protocol>tcp/udp</protocol> 
    - <source>
      <any>- <destination><address>192.168.1.3</address>
    
      <port>80</port></destination> 
      <descr>NAT Apache Zen Server</descr></any></rule></filter> 
      <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec> 
      <aliases><proxyarp>- <cron>- <minute>0</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 newsyslog 
    - <minute>1,31</minute> 
      <hour>0-5</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 adjkerntz -a 
    - <minute>1</minute> 
      <hour>3</hour> 
      <mday>1</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh 
    - <minute>*/60</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 
    - <minute>1</minute> 
      <hour>1</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update 
    - <minute>*/60</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 
    - <minute>*/60</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
    - <minute>*/5</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/local/bin/checkreload.sh 
    - <minute>*/5</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/etc/ping_hosts.sh 
    - <minute>*/140</minute> 
      <hour>*</hour> 
      <mday>*</mday> 
      <month>*</month> 
      <wday>*</wday> 
      <who>root</who> 
      <command></command>/usr/local/sbin/reset_slbd.sh</cron> 
      <wol>- <installedpackages><menu> 
      <service>- <package><name>Dyntables</name> 
      <descr>Dynamically reloads table data using Ajax instead of wrong meta refresh tag..</descr> 
      <category>System</category> 
      <config_file>http://www.pfsense.com/packages/config/dyntables/pkg/dyntables.xml</config_file> 
      <version>1.0</version> 
      <status>ALPHA</status> 
      <maintainer>me@daniel.stefan.haischt.name</maintainer> 
      <required_version>1.2</required_version> 
      <configurationfile>dyntables.xml</configurationfile> 
      <depends_on_package_base_url>http://www.pfsense.com/packages/All</depends_on_package_base_url> 
      <depends_on_package>scriptaculous-js-1.7.1_1.tbz</depends_on_package> 
      <depends_on_package>windows_js-1.3_1.tbz</depends_on_package></package> 
    
    - <revision><description>/services_dnsmasq.php made unknown change</description> 
      <time>1209521711</time></revision> 
    - <rrd><enable></enable></rrd></service> </menu></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></bigpond></staticroutes></lastchange></pfsense> 
    


  • You tried it wrong

    Did you read this thread: http://forum.pfsense.org/index.php/topic,8700.msg48871.html#msg48871 ?

    You have an entry to redirect http://zenstudios.blogdns.org.zenstudios.blogdns.org right now.

    you need more something along the lines of this:

    • <hosts><host><domain>psymia.mine.nu</domain>
        <ip>10.0.0.10</ip></host></hosts>
    • <hosts><host>www</host>
        <domain>psymia.mine.nu</domain>
        <ip>10.0.0.10</ip></hosts>

Locked