Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another wan from lan issue NAT loopback

    Scheduled Pinned Locked Moved NAT
    15 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wifiuk
      last edited by

      i use no-ip.org as i have a dynamic ip.

      E.g

      blah123.no-ip.org

      i have 2 IPCAMS

      blah123.no-ip.org:123 / 192.168.x.x
      blah123.no-ip.org:456 / 192.168.x.y

      so port forwarding work fine as expected, as long as im not inside  my own network.

      So i have tried the PureNAT option and it doesnt seem to work, not sure what im missing.

      So upon further reading people are sugesting using SplitDNS. So i try that

      But it doesnt work as i have more than one device using the same blash123.no-ip.org ….

      Can anyone let me know what i am missing?

      Using PfSense 2.2RC ( had the same problem on 2.1.5 )

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        well use 2 names blah1.noip and blah2.noip problem solved.  blah1 points to x.x and blah2 points to x.y

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • W
          wifiuk
          last edited by

          so then i need one subdomain for firewall
          one for cam1
          one for cam2?

          that seems a bit overkill when you can have one .no-ip.org address and use port forwarding…... the issue is with the NAT loopback ... surely thats an internal issue

          but i know ive had it working in the past using pfsense ? but i can for the life of me work out with PureNAT is no longer working, thinking ive missed something..

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            subdomain??  What..  You need multiple host names in your domain  since you have MULTIPLE hosts!!

            So you have cam1.blah.no-ip.org if blah is your domain you got from no-ip and cam2.blah.no-ip.org..  I don't use no-ip any longer because they continue to have you click this email every 30 days or whatever it was for a nag to get you buy.

            I use a domain from afraid.. I have multiple hosts in domain..

            How is proper resolution of a FQDN to an IP overkill??  You know what is over kill is messing with something that shouldn't even be a possible solution if you ask me.  NAT reflection is an abomination ;)

            This is all of 2 seconds of creating a host over ride.. Done for the FQDN your wanting to use.  Lets say I had 3 different cameras I want to get to and I have 1 public IP.  I would set the cameras to use say port 8081, 8082, 8083

            In what ever dynamic dns I am using I would setup cam1.mydomain.tld cam2.mydomain.tld cam3.mydomain.tld all pointing to my publicIP.  Lets call it 42.1.2.100

            I create my forwards that if you are going to 8081 you send it to 8081 192.168.1.101, if 8082 send to 192.168.1.102, if 8083 to 192.168.1.103

            I set up 3 host over rides for cam1.mydomain.tld, cam2 and cam3.mydomain.tld that point to those 192 address.

            Now I can use fqdn cam1.mydomain.tld:8081 be it I am outside or inside my network..  This takes all of 30 seconds to setup.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              If you want it to be the same URL inside and outside you will have to:

              Make two hostnames inside (pointing one at each camera) and two hostnames outside (both pointing at your outside IP).

              Change the camera listening ports so the same port outside goes to the same port inside.

              Then http://blah123.no-ip.org:123/ and http:/blah456.no-ip.org:456/ (for example) will work from inside or outside.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • W
                wifiuk
                last edited by

                i already had each camera on a different port using the same external no-ip.org address and works fine outside the network…

                So i have logged into my website host and set a subdomin ipcam1 and another called ipcam2.

                forwarded these to my blahblah.no-ip.org address.

                so they will always be pointing to my external ip . and changed the camera link on my phone to cam1.mywebhost:1234 and cam2.mywebhost:2345

                so now work internal and external using the Split DNS as suggested above.....

                This is a workaround tho , as NAT loopback should work correctly but it doesnt....

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  NAT reflection is an ugly hack.  Take comfort in knowing you did it right instead of easy.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "This is a workaround tho"

                    No your idea that you should send traffic from the lan side of your firewall to the public side to be forwarded back in with a source IP that came from your lan side is as stated an UGLY hack!!!

                    This can cause asymmetric routing, its pretty much security concern.  So your firewall is allowing traffic when it says it came from internal private network?  Did it really, or was the source spoofed?

                    So your client sends traffic to 1.2.3.4, which is off his network so he sends to gateway..  Shouldn't it be concerned that return traffic came from 192.168.1.x ??  When server at 192.168.1.x sees the inbound traffic that says it came from 192.168.1.y

                    Nat reflection is hack that really shouldn't even be there..  Nobody in networking would ever expect that nat reflection should be a viable option..  Only people not knowing what they are doing would expect such a thing to be a solution.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by

                      You know what I recommend?

                      First - Never expose it directly to the internet - use a VPN.

                      Second - Address it directly by IP

                      Thats what I do.

                      Port forwarding to a IP cam from web is begging for a hack.

                      1 Reply Last reply Reply Quote 0
                      • S
                        siddharthm
                        last edited by

                        Just try nat+proxy it must do the job

                        1 Reply Last reply Reply Quote 0
                        • S
                          siddharthm
                          last edited by

                          https://forum.pfsense.org/index.php?topic=86803.0

                          1 Reply Last reply Reply Quote 0
                          • W
                            wifiuk
                            last edited by

                            @kejianshi:

                            You know what I recommend?

                            First - Never expose it directly to the internet - use a VPN.

                            Second - Address it directly by IP

                            Thats what I do.

                            Port forwarding to a IP cam from web is begging for a hack.

                            as said earlier, my cam is locked down firstly with  a decent password, secondly i only allow my work IP, my mobile phone subnet to access the IP. all other IP trying to connect to that port is blocked by the firewall. so firstly they would need to hack the firewall before they can get to the cams.

                            2ndly, cant have VPN on all the time as i access them from work and from my phone, cant have phone on VPN all the time not practical.

                            I have a dynamic IP, so using the IP will not work as it changes from time  to time

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Sounds like it super secure then.  Problem solved.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "cant have phone on VPN"

                                Who said it had to be on all the the time?  It takes seconds to connect to vpn from the phone.  As to from work - again I vpn into my home network from work all the time.  Nice thing about openvpn is you can bounce off a proxy like many work networks require ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wifiuk
                                  last edited by

                                  oh yeah i know its easy to turn off and on, but i have a widget on my home screen, so that means i would have to have it on all the time otherwise the widgets wouldnt work, but its not a major problem.

                                  And with my work, no need to bounce via proxy ..

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.