How can I use public IP's on the LAN?

GruensFroeschli

I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.

If you just have a single server, then i agree.
But i think it just depends on what you are trying to accomplish.
If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.

Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.

garg_art2002

@GruensFroeschli:

I personally don't like the idea of Reflection, or in the Cisco PIX world, what they call DNS rewrites.

I've solved this problem many times with just an internal DNS server that is authoritative for the domain in question.
This is easy, especially since every LAN I work on I make sure there is a private DNS server that just goes to root hints if it doesn't already know what a workstation is querying for.
One DNS server for the public network queries, one DNS server for the private network queries.

If you just have a single server, then i agree.
But i think it just depends on what you are trying to accomplish.
If you have multiple server which all are on the same domain name but have in your private subnet a different IP you will have a problem doing that without NAT-reflection.

Of course you could always create new "pseudo-domain-names" just for internal use like mailserver.mydomain.com or webserver.mydomain.com and forward them to the corresponding server.

This is a great idea too because in real world, each server has unique primary function.
Nice idea.

Tons0fun

Tried all that and unfortunately it is not working for me. I have been using Pfsense for about 2 years now and have very mixed results with getting nat reflection to work ( or at least whatever workaround was popular at the time ). I have Disable NAT reflection unchecked, and I tried the method you listed off adding the domain to the DNS Forwarder. Any help or tips would be greatly appreciated. network looks like this:

Pfsense –> Apache server:80 (accessible from outside LAN but not from the inside)
          --> other machines

- <pfsense><version>3.0</version> 
  <lastchange><theme>pfsense</theme> 
- <system><optimization>normal</optimization> 
  <hostname>zenserver</hostname> 
  <domain>zenstudios.blogdns.org</domain> 
  <username>admin</username> 
  <password></password> 
  <timezone>America/Chicago</timezone> 
  <time-update-interval><timeservers>pool.ntp.org</timeservers> 
- <webgui><protocol>https</protocol> 
  <certificate><private-key></private-key></certificate></webgui> 
- <ssh><authorizedkeys></authorizedkeys></ssh> 
  <maximumstates><shapertype><dnsallowoverride></dnsallowoverride></shapertype></maximumstates></time-update-interval></system> 
- <interfaces>- <lan><if>xl0</if> 
  <ipaddr>192.168.1.1</ipaddr> 
  <subnet>24</subnet> 
  <media><mediaopt><bandwidth>100</bandwidth> 
  <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
- <wan><if>rl0</if> 
  <mtu><media><mediaopt><bandwidth>100</bandwidth> 
  <bandwidthtype>Mb</bandwidthtype> 
  <spoofmac><disableftpproxy><ipaddr>dhcp</ipaddr> 
  <dhcphostname></dhcphostname></disableftpproxy></spoofmac></mediaopt></media></mtu></wan> 
- <opt1><descr>ZenWireless</descr> 
  <if>ath0</if> 
- <wireless><standard>11g</standard> 
  <mode>hostap</mode> 
  <protmode>off</protmode> 
  <ssid>Colosodian</ssid> 
  <channel>0</channel> 
  <authmode><txpower>99</txpower> 
  <distance>- <wpa><macaddr_acl><auth_algs>1</auth_algs> 
  <wpa_mode>1</wpa_mode> 
  <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt> 
  <wpa_pairwise>CCMP TKIP</wpa_pairwise> 
  <wpa_group_rekey>60</wpa_group_rekey> 
  <wpa_gmk_rekey>3600</wpa_gmk_rekey> 
  <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa> 
- <wep><enable>- <key><value></value></key></enable></wep></distance></authmode></wireless> 
  <bridge>lan</bridge> 
  <ipaddr><subnet>32</subnet> 
  <gateway><spoofmac><mtu><enable></enable></mtu></spoofmac></gateway></ipaddr></opt1></interfaces> 
  <staticroutes>- <pppoe><username><password></password></username></pppoe> 
- <pptp><username><password><local></local></password></username></pptp> 
  <bigpond>- <dyndns><type>dyndns</type> 
  <username><password></password></username></dyndns> 
- <dhcpd>- <lan><enable>- <range><from>192.168.1.100</from> 
  <to>192.168.1.110</to></range> 
- <staticmap><mac>00:04:4b:06:f6:4c</mac> 
  <ipaddr>192.168.1.3</ipaddr> 
  <hostname><descr>Tons0fun</descr></hostname></staticmap> 
- <staticmap><mac>00:15:f2:15:f9:d4</mac> 
  <ipaddr>192.168.1.4</ipaddr> 
  <hostname><descr>Ryo</descr></hostname></staticmap> 
- <staticmap><mac>00:1b:63:c5:9d:a4</mac> 
  <ipaddr>192.168.1.5</ipaddr> 
  <hostname><descr>Stall</descr></hostname></staticmap> 
- <staticmap><mac>00:11:5b:ac:5a:24</mac> 
  <ipaddr>192.168.1.6</ipaddr> 
  <hostname><descr>Demon</descr></hostname></staticmap> 
- <staticmap><mac>00:13:8f:49:9d:a8</mac> 
  <ipaddr>192.168.1.7</ipaddr> 
  <hostname><descr>Zen Server</descr></hostname></staticmap> 
  <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd> 
- <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
  <ovpn>- <dnsmasq><enable>- <hosts><host>zenstudios.blogdns.org</host> 
  <domain>zenstudios.blogdns.org</domain> 
  <ip>192.168.1.3</ip> 
  <descr>Zen Server Website</descr></hosts></enable></dnsmasq> 
- <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
- <diag><ipv6nat></ipv6nat></diag> 
  <bridge><syslog>- <nat>- <ipsecpassthru><enable></enable></ipsecpassthru> 
- <rule><protocol>tcp/udp</protocol> 
  <external-port>50511</external-port> 
  <target>192.168.1.3</target> 
  <local-port>50511</local-port> 
  <interface>wan</interface> 
  <descr>Tons0fun's Bittorrent</descr></rule> 
- <rule><protocol>tcp/udp</protocol> 
  <external-port>80</external-port> 
  <target>192.168.1.3</target> 
  <local-port>80</local-port> 
  <interface>wan</interface> 
  <descr>Apache Zen Server</descr></rule> 
  <advancedoutbound></advancedoutbound></nat> 
- <filter>- <rule><interface>wan</interface> 
  <protocol>tcp/udp</protocol> 
- <source>
  <any>- <destination><address>192.168.1.3</address>

  <port>50511</port></destination> 
  <descr>NAT Tons0fun's Bittorrent</descr></any></rule> 
- <rule><type>pass</type> 
  <interface>opt1</interface> 
  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> 
  <os><protocol>tcp/udp</protocol> 
- <source>
  <any>- <destination><any></any></destination> 
  <descr>Allow Wireless Connections</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
- <rule><type>pass</type> 
  <descr>Default LAN -> any</descr> 
  <interface>lan</interface> 
- <source>
  <network>lan</network> 

- <destination><any></any></destination></rule> 
- <rule><interface>wan</interface> 
  <protocol>tcp/udp</protocol> 
- <source>
  <any>- <destination><address>192.168.1.3</address>

  <port>80</port></destination> 
  <descr>NAT Apache Zen Server</descr></any></rule></filter> 
  <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec> 
  <aliases><proxyarp>- <cron>- <minute>0</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 newsyslog 
- <minute>1,31</minute> 
  <hour>0-5</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 adjkerntz -a 
- <minute>1</minute> 
  <hour>3</hour> 
  <mday>1</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh 
- <minute>*/60</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 
- <minute>1</minute> 
  <hour>1</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update 
- <minute>*/60</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 
- <minute>*/60</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
- <minute>*/5</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/local/bin/checkreload.sh 
- <minute>*/5</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/etc/ping_hosts.sh 
- <minute>*/140</minute> 
  <hour>*</hour> 
  <mday>*</mday> 
  <month>*</month> 
  <wday>*</wday> 
  <who>root</who> 
  <command></command>/usr/local/sbin/reset_slbd.sh</cron> 
  <wol>- <installedpackages><menu> 
  <service>- <package><name>Dyntables</name> 
  <descr>Dynamically reloads table data using Ajax instead of wrong meta refresh tag..</descr> 
  <category>System</category> 
  <config_file>http://www.pfsense.com/packages/config/dyntables/pkg/dyntables.xml</config_file> 
  <version>1.0</version> 
  <status>ALPHA</status> 
  <maintainer>me@daniel.stefan.haischt.name</maintainer> 
  <required_version>1.2</required_version> 
  <configurationfile>dyntables.xml</configurationfile> 
  <depends_on_package_base_url>http://www.pfsense.com/packages/All</depends_on_package_base_url> 
  <depends_on_package>scriptaculous-js-1.7.1_1.tbz</depends_on_package> 
  <depends_on_package>windows_js-1.3_1.tbz</depends_on_package></package> 

- <revision><description>/services_dnsmasq.php made unknown change</description> 
  <time>1209521711</time></revision> 
- <rrd><enable></enable></rrd></service> </menu></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></bigpond></staticroutes></lastchange></pfsense> 

GruensFroeschli

You tried it wrong

Did you read this thread: http://forum.pfsense.org/index.php/topic,8700.msg48871.html#msg48871 ?

You have an entry to redirect http://zenstudios.blogdns.org.zenstudios.blogdns.org right now.

you need more something along the lines of this:

• <hosts><host><domain>psymia.mine.nu</domain>
    <ip>10.0.0.10</ip></host></hosts>
• <hosts><host>www</host>
    <domain>psymia.mine.nu</domain>
    <ip>10.0.0.10</ip></hosts>