Can't access forwarded ports on my WAN IP from my LAN

  • Hi
    I have servers hosted on the same LAN. I can access the website from outside but i cannot access the website from within the lan.

  • NAT reflections enabled?

  • Where to begin? Is the website sitting in a different VLAN from the PC you're trying to access it from? And is your internal DNS set up with a record to point to the server for internal clients? Can you ping the server from inside the LAN? Have you set up any local firewalling on the target server? Is the PC you're trying to access the server from on the same LAN subnet as the server (if not, this could point to a possible routing issue)?

    You really need to provide more information if you want someone to offer any meaningful help. But maybe some of the questions I've posted so far might give you something to look at.

  • Either enable NAT Reflection or setup split DNS (preferred method).  Split DNS means you run DNS on your LAN and have it return local addresses instead of public addresses.

  • @chris – NAT reflection enabled to pure NAT


    i can access the server through internal ip address , i can access the website from outside.
    i dont have any vlans
    i have not changed any settings on the server. I was using netfear srx5308 previously and it was working fine.
    i can ping the server with local ip. if i put the local ip in the browser the web page opens perfectly

    no internal dns set up.. just a question why do i need that if i have port forwarding rules set up to forward http to a particular server


  • no internal dns set up.. just a question why do i need that if i have port forwarding rules set up to forward http to a particular server

    Because port forwarding is what you use to handle giving access to internal resources to the outside.  In your case you are on the inside and have direct access to the server, so port forwarding has nothing to do with it.  NAT Reflection can cause problems, so it is generally better to use Split DNS or just use the internal IP address of the server.

  • LAYER 8 Global Moderator

    ^ EXACTLY!!!  And and what do you mean no internal dns is setup?  You have pfsense, you can easy setup host over ride for something like this.

    So you have something.publicdomain.tld that points to publicIP that people use on the outside..

    On the inside when users going to something.publicdomain.tld and they ask pfsense which is normally dns forwarder in a typical setup and they ask for something.publicdomain.tld instead of forwarding that to whatever dns you setup to use, its say hey I have a override that says that is privateIP for example.

    If your using some other forward or dns in your network then - then you just set that up on it.  Only problem you would have is that if you point all your clients directly to say your isp dns or googledns, etc.  Which why would you do that??

    NAT reflection is really never a good solution to something like this.. If the box is directly on your local network why would you want to go through your router, just to come back in?

  • it is because i have many internal servers which need to communicate with each other. its a very simple thing know as loopback. all other firewalls provide it netgear, cisco etc… i dont have to setup any thing else. i might just remove pfsense and try something else.

    thanks for your replies

  • LAYER 8 Global Moderator

    so you have internal servers that need to talk to each other, but you don't have internal dns??  Pfsense can do loopback, or nat reflection - its just not on out of the box.. Enable it.

    Well sure then sending all this traffic that they talk internally on through the router/firewall makes lots of sense.. When they sit on the same network segment.. Everyone should hairpin all their internal traffic through their edge router – its what all the cool kids are doing these days ;)

  • Setting up of internal DNS is quite time consuming. I have about 150 entries which i have to manage.. where do i enable loopback… and its not just http but other ports also..

  • LAYER 8 Global Moderator

    System, Advanced Firewall/NAT - at the bottom of the page are you settings for nat reflection.

    As I stated pfsense already should be your dns..  You don't have to manually enter entries if they are dhcp clients - pfsense can auto create dns records for those.  You could always just import them via changes to the xml file.  Or using the advanced features of either the forwarder or resolver point to a file that has all your host entries in there that it would use to resolve.  The length of time to do it would be minutes if you ask me be it you had 3 records or 3000..

    Here is your problem - you should of been doing it from day 1 when you had 1 system…  The use of nat reflection is just not the correct way to access systems that are on your local system..  So how do you access systems that don't have port forwards setup??  Do you use the local IP address?

  • solved

    nat reflection was enabled before the port forwards were made.

    disabled and re-enabled nat reflection it started working.

  • LAYER 8 Netgate

    Administering a 150 node network might be some work so I'll do it wrong instead.

  • LAYER 8 Global Moderator

    ^ yeah, and not only wrong..  But nothing screams performance like hirpinning and letting your edge router/firewall handle traffic that it should never see.  What  sweet setup it must be because setting up dns might take a few minutes ;)

Log in to reply