LAN cannot access local server
-
Hi Guys,
been reading threads and lurking on IRC but can't get this working….I have a box running PFsense, simple setup. 2 NIC, one on LAN side, one on WAN side. 100mbit fibre connection.
WAN side is using PPPoE and gets a dynamic IP from the ISP. Considering the pfsense box and modem are never powered off it can be many months before the IP changes, but it is not static.
LAN side uses standard IP ranges (192.168.1.x).
PFsense box is 192.168.1.1
Apache server is running at 192.168.1.17
My main PC is at 192.168.1.254General internet access is OK, so is PC to PC file transfers etc. Basic NAT rules are in use (forward port 80 to 192.168.1.17, forward RDP, FTP, etc to 192.168.1.254). Thats all fine.
What do I need?
-
You try to acces it from lan by the local IP and it times out? Then something is wrong with your Apache. These connections are not even going through the pfSense. Check your Apacheserver.
-
Ah, thats because it forwards a request to the IP to the domain name ;)
When I turn off url re-write it works fine - not an apache issue.
-
You mean you access it by the domain name which resolves to the public IP on your WAN?
Enable NAT-reflection
-
When NAT reflection is enabled I cannot access the internet at all.
-
I very very much doubt that…
NAT reflection does nothing else than rewrite packets with as destination your WAN ip to your server...Are you sure you didnt enable Advanced outbound NAT?
-
Automatic NAT rules is definitely selected. Just tried again now and am no longer able to access websites with NAT reflection on, and the only clue I can see is this line in the system log:
php: : Not installing nat reflection rules for a port range > 500
-
Then you are trying to forward a range bigger than 500.
Read the description of NAT reflection:
Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.
Do you really need more than 500 ports forwarded?
Afaik if you try to split a range bigger than 500 up into multiple forwards of each 500 you will run into a hardlimit of 1000 ports that can be reflectect at once.
-
I had one port range forwarded (around 1000 ports for FTP) but even with that removed, general internet access is not possible with NAT reflection enabled. (But it does not spit out the message from before in the logs… looks pretty normal in there really).
-
Did you remove your firewall rule that allows access to the internet?
If you loose general internet access you missconfigured something.Can you show screenshots of your rules?
(NAT, Firewall, AoN)
-
Sorry, been crazy busy ;D
Appreciate the help!
-
Interesting new result!
When I turn reflection on I can now access my website! Hurray!
But I cannot access any external sites, it bounces them back to my own website. Sounds like port 80 isn't being handled correctly.
Looking at the config, is anything amiss? Do you need more examples?
Cheers,
Leon
-
You have in your fowardings as external Address: "any"
Set that to your WAN IP.
-
And if my WAN IP is dynamic.. I have to manually update it everytime?
-
No.
Because you dont select an IP but an interface.
-
Thanks for the help, it is still not working but I think I know what I have to do!
Cheers,
Leon
