NAT / Port forwarding working for Internet -> mynet but not mynet -> mynet



  • I have a subnet of private IP addresses routed to me by my ISP (/29). I use a number of these for hosted services and a 1 for outgoing NAT for the desktops / devices on my network. These are created as Virtual IP addresses on the WAN interface.

    In my example, 80.1.1.1 is the outgoing IP for all non-public hosts on my network (e.g. 192.168.10.20 and 192.168.10.21).

    80.1.1.2 is used for a web server and port 80 is forwarded to 192.168.10.6:80. There is an outgoing rule that NATs 192.168.10.6 to 80.1.1.2.

    Access from outside the network to the web server on 80.1.1.2 (192.168.10.6) works fine. So for example a machine on the internet can open 80.1.1.2 in a browser and this works. If I connect to a machine on the internet from the 192.168.10.6 host, then that connection appears to come from 81.1.1.2 as expected.

    Connections to machines on the internet from 192.168.10.20 and 192.168.10.21 appear to come from 81.1.1.1 - again, as expected.

    The issue is that machines on the internal network (192.168.10.0/24) cannot connect to the webserver address.

    For example:

    --2014-10-09 20:31:38--  http://mysite.mydomain.com
    Resolving mysite.mydomain.com... 80.1.1.2
    Connecting to mysite.mydomain.com|80.1.1.2|:80... failed: Network is unreachable.
    
    

    Doing a tcpdump on 192.168.10.6 and looking for traffic to port 80 shows no connection attempt from 192.168.10.20 but does show the connections from machines outside the network.

    I'm not using 1:1 NAT - I'm forwarding specific ports to the target host and have a reciprocal outgoing entry for all traffic from that host. I also have the associated firewall rule to pass traffic to 192.168.10.6. The outbound NAT rule for 192.168.10.6 is the first rule in the list of NAT entries with the generic network one below that.

    Any ideas what I'm missing here and what it would take to make this work ?

    Thanks in advance,



  • If you want to access a LAN host with its external NAT address from another LAN host you have to activate NAT reflection for the appropriate NAT rule.
    You can do this either in each NAT rule which you want to have the function enabled or global in System > Advanced > Firewall and NAT and set the rule to "system default".


Log in to reply