Port forward is perfect but NAT Redirection/Reflection Does't work
-
Hi Everyone,
I am currently setup pfSense as a transparent proxy at my work place.
My Current Layout is as follows:
Setting in my pfSense Firewall:
So far everything is working perfectly, clients are able to access services from outside without an issue.
But as the subject of the post suggests, I am unable to access the server inside LAN by typing the External IP (e.g. 123.33.22.11). I have googled and tried NAT Reflection but that doesn't work. Ofcourse I can access the server by typing in the LAN ip (192.168.1.2). I need this to work due to some support issues.
Kindly Advise.
Regards / Rahuman.
-
We also have a similar scenario, NAT reflection or loopback seems to work for general ports (like TCP 80). But not working for forwarded ports. Help!
-
To get around this problem, I run split DNS. Internal DNS resolves those servers to their LAN IP address.
-
My LAN clients are using a software, and that software cannot use names. It can only use IP addresses. So, split DNS is not a solution for us.
-
The dest. addr. should not be set to the wan address. As the wan address on the pfsense router is the 192 address on the lan side of the isp router. So Nat reflection is not happening on the pfsense router, but on the isp router. I can tell you that if it similar to the comcast routers, nat reflection will never work on the comcast router's. One solution would be to bridge the isp router (if it is a comcast smc, you can call and they can bridge it for you) I'm not sure of the procedure for other isp's. But I'm sure they should be able to bridge it for you. That way, the external IP will be passed to the WAN interface of the pfsense box. Then your configuration as stated in the picture would work.
-
Sure looks like double nat issue to me as well, pfsense has 192.168.2 address on its wan? You don't specifically show that.
As tjsummers points out, your best option is to remove the double nat, ie bridge your isp device so that pfsense has public on its wan. Or stop using lame ass software that does not support dns ;)