VIP Access From LAN



  • Hi All,
    I have a few VIPs setup on my PFSense 2.1.5 FW, with 1:1 NAT setup to the internal IP addresses.

    DNS for these addresses works fine externally, however when a machine on the LAN address tries to access the WAN IP through HTTP/HTTPS I get the PFSense admin page (and a notice about DNS rebind attacks).

    I have manual NAT setup for the LAN addresses, and have tried "Enable NAT Reflection for 1:1 NAT".

    Does anyone have any idea how to get around this?

    Thanks



  • You can turn off DNS rebind under system advance. Why not use the private IP they point to in your  network?



  • Thanks for the reply - that would just redirect to the PFSense admin page though.

    We host a lot of development/staging sites and they need to be accessible to developers on the LAN and customers externally through the same DNS name, which would be the WAN address.



  • It is a security risk to have the webconfigurator listen on WAN interface. You should change this.

    To access LAN hosts from another one in the LAN network by the external IP (DNS) you have to use "NAT reflection + proxy" mode, but this is not possible with 1:1 NAT.
    So to resolve your issue, you either have to change your NAT to port forward or use split DNS and configure an additional internal DNS server.



  • Thanks -  if I curl the WAN IP it's returning the internal address, I don't have any rules setup to allow the webconfigurator on the WAN port.

    Port forwarding + NAT Proxy appears to have worked, I didn't realise there is a difference with 1:1 NAT

    Thanks for your help!