Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN cannot access local server

    Scheduled Pinned Locked Moved NAT
    16 Posts 3 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Ewok85
      last edited by

      Hi Guys,
      been reading threads and lurking on IRC but can't get this working….

      I have a box running PFsense, simple setup. 2 NIC, one on LAN side, one on WAN side. 100mbit fibre connection.

      WAN side is using PPPoE and gets a dynamic IP from the ISP. Considering the pfsense box and modem are never powered off it can be many months before the IP changes, but it is not static.

      LAN side uses standard IP ranges (192.168.1.x).

      PFsense box is 192.168.1.1
      Apache server is running at 192.168.1.17
      My main PC is at 192.168.1.254

      General internet access is OK, so is PC to PC file transfers etc. Basic NAT rules are in use (forward port 80 to 192.168.1.17, forward RDP, FTP, etc to 192.168.1.254). Thats all fine.

      What do I need?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        You try to acces it from lan by the local IP and it times out? Then something is wrong with your Apache. These connections are not even going through the pfSense. Check your Apacheserver.

        1 Reply Last reply Reply Quote 0
        • E
          Ewok85
          last edited by

          Ah, thats because it forwards a request to the IP to the domain name ;)

          When I turn off url re-write it works fine - not an apache issue.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            You mean you access it by the domain name which resolves to the public IP on your WAN?

            Enable NAT-reflection

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • E
              Ewok85
              last edited by

              When NAT reflection is enabled I cannot access the internet at all.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                I very very much doubt that…
                NAT reflection does nothing else than rewrite packets with as destination your WAN ip to your server...

                Are you sure you didnt enable Advanced outbound NAT?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • E
                  Ewok85
                  last edited by

                  Automatic NAT rules is definitely selected. Just tried again now and am no longer able to access websites with NAT reflection on, and the only clue I can see is this line in the system log:
                  php: : Not installing nat reflection rules for a port range > 500

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    Then you are trying to forward a range bigger than 500.

                    Read the description of NAT reflection:

                    Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

                    Do you really need more than 500 ports forwarded?

                    Afaik if you try to split a range bigger than 500 up into multiple forwards of each 500 you will run into a hardlimit of 1000 ports that can be reflectect at once.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • E
                      Ewok85
                      last edited by

                      I had one port range forwarded (around 1000 ports for FTP) but even with that removed, general internet access is not possible with NAT reflection enabled. (But it does not spit out the message from before in the logs… looks pretty normal in there really).

                      1 Reply Last reply Reply Quote 0
                      • GruensFroeschliG
                        GruensFroeschli
                        last edited by

                        Did you remove your firewall rule that allows access to the internet?
                        If you loose general internet access you missconfigured something.

                        Can you show screenshots of your rules?
                        (NAT, Firewall, AoN)

                        We do what we must, because we can.

                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                        1 Reply Last reply Reply Quote 0
                        • E
                          Ewok85
                          last edited by

                          Sorry, been crazy busy  ;D
                          Appreciate the help!

                          1 Reply Last reply Reply Quote 0
                          • E
                            Ewok85
                            last edited by

                            Interesting new result!

                            When I turn reflection on I can now access my website! Hurray!

                            But I cannot access any external sites, it bounces them back to my own website. Sounds like port 80 isn't being handled correctly.

                            Looking at the config, is anything amiss? Do you need more examples?

                            Cheers,
                            Leon

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschliG
                              GruensFroeschli
                              last edited by

                              You have in your fowardings as external Address: "any"
                              Set that to your WAN IP.

                              We do what we must, because we can.

                              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                              1 Reply Last reply Reply Quote 0
                              • E
                                Ewok85
                                last edited by

                                And if my WAN IP is dynamic.. I have to manually update it everytime?

                                1 Reply Last reply Reply Quote 0
                                • GruensFroeschliG
                                  GruensFroeschli
                                  last edited by

                                  No.
                                  Because you dont select an IP but an interface.

                                  We do what we must, because we can.

                                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    Ewok85
                                    last edited by

                                    Thanks for the help, it is still not working but I think I know what I have to do!

                                    Cheers,
                                    Leon

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.