Internal LAN can't hit DMZ webserver using CARP/VIP

  • I have a webserver on my DMZ which I provide web access to the world and ftp access to the site owners.  In order to accomplish this, I had to set up a Virtual IP using CARP, turn off FTP Helper and use Port Forwarding (1 to 1 NAT nor ProxyARP did not work for the FTP  - hint for those looking into that).  This all works fine.

    Everyone in the world can browse the site and ftp works fine for the client . .except I cannot hit the websitefrom my internal LAN.  This appears to be a subnet issue. To be clear, I'm not talking about hitting the box from the LAN - I know how to create rules from LAN to DMZ.  I'm talking about hitting the website which uses the CARP VIP addy.

    I have an external IP x.x.123.146/28 as the WAN interface.
    I had to configure IP x.x.123.153/28 as the CARP VIP.

    I am wondering if these subnets are causing the issue.

    Can someone help me out?  Thanks!

  • @slicknetaaron2:

    I'm not an expert, but I did set this up on my own network.

    Later on in the document that vichon linked to, it states:

    For NAT portforwardings: NAT is applied before the Firewall rules.

    NAT-Reflection does not work with 1:1 NAT
    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

    If you have problems with FTP and NAT:,7096.0.html

    Since you are using 1:1 NAT, according to this, NAT reflection will not work by default.

    Does your webserver resolve on public DNS?  If so, here is what I did.  It seems pretty elegant to me.
    (I don't have my pfSense box in front of me, so I'm going by memory here..)

    If your webserver resolves to publicly…

    Use the DNS forwarder in pfSense.  Your hosts must use your pfSense IP as their DNS and/or make sure DHCP distributes your pfSense IP for DNS addy. 
    Add a rule that resolves to the LAN IP of the server. 
    That way the public will use public DNS and resolve to your public 1:1 NAT address, and when you are on the LAN, it will resolve to the local LAN IP.  Neat, huh?

    If you need to resolve the root domain [ instead of] I think you may have to do some more advanced stuff [like having you own internal DNS server?] Not sure

    For me, it was super easy to setup. Pretty self-explanatory.



    This technique is called "split dns" and I would always prefer it over natreflection when possible. Resolving the is just as simply. Just add a second hostentry for this in your dns-forwarder.

Log in to reply