Can't access device inside the network using outside IP, but outside sources can



  • I have a phone server inside my network that has a WAN and LAN port. The WAN is hooked into my pfsense, and using an outside static IP. Phones and everything works except I cannot access the web interface via the WAN ip address from inside my LAN. If I use a computer say at my home to access the phone server via its WAN IP, it works just fine.

    The PHONES interface on my pfsense is bridged between the actual WAN interface and the PHONE LAN interface.

    What do I have to do to make this work so that the users inside my LAN can access this phone server via the WAN IP?



  • Either enable NAT Reflection or run split DNS.



  • @KOM:

    Either enable NAT Reflection or run split DNS.

    Where do I do that (net reflection)? It's set to automaticly generate nat

    Also this phone server is on a separate VLAN than the rest of the computers on the LAN, which is why I wanted to enable using the WAN ip instead of the alternate vlan ip.



  • System - Advanced - Firewall/NAT - Network Address Translation - NAT Reflection mode for port forwards.  It may or may not work well for you.  I ended up going with split DNS, and that's the method suggested by the pfSense people.



  • @KOM:

    System - Advanced - Firewall/NAT - Network Address Translation - NAT Reflection mode for port forwards.  It may or may not work well for you.  I ended up going with split DNS, and that's the method suggested by the pfSense people.

    That didn't seem to work and I don't know what split dns is.

    However creating a rule in the LAN to the dest of the phone server allowing any worked perfectly. Problem solved. Thanks though :)



  • Split DNS is simply running DNS on LAN that says your domain points to a LAN IP instead of WAN IP.  For example, if you own foo.com and it points to 1.2.3.4, split DNS would have you install a DNS server on LAN and have it resolve foo.com to be 192.168.1.x or whatever its LAN IP address is instead of its WAN address.


Log in to reply