Strange behaviour in NAT



  • I have a NAT rule to allow Internet client access a web app. No other NAT and rules.
    When i go outside, i can access the app (from its dns name) just as expected.
    However when im at the site, i cannot access the app using the same address!!
    Is there any rule should be made on LAN as well? Would be very strange if yes.
    LAN can access internet /web/ download fine.





  • @KOM:

    Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks

    just as i thought …
    haiizzz ... more work to do just to achieve a simple job! What is the benefit of restricting LAN clients just simply go out to Internet to reach that Internet host name?
    Very tedious process !



  • Running split DNS isn't that hard unless you have a lot of internal hosts you need to connect to.



  • @KOM:

    Running split DNS isn't that hard unless you have a lot of internal hosts you need to connect to.

    yes i got like over 10 internal servers that users need access over Internet.
    Its not hard, but tedious, and WHAT IS THE POINT OF DOING THIS? should the fw just bloody allow LAN connect to them like any other internet addr?


  • Banned

    Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.



  • If you really want to use public names without split DNS then you can try playing with NAT Reflection.  Try PureNAT first as I think I remember it being the recommended option.

    btw 10 servers is nothing.  If you were talking many dozens or so with servers coming and going constantly then it might be a nuisance.  Otherwise, just stick your 10 servers in the pfSense Forwarder or Resolver host override and be done with it if you're using pfSense for DNS.  If not, just do the same thing in your other DNS server.  How long can it take to add 10 A records?


  • Netgate

    OMG! Maintaining a network properly might amount to someone having to do some work!



  • @doktornotor:

    Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

    What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address. Technically. Whatever behind it, just allow the client go to that address and if that addr happens to point back to another host in the same network, so be it. Why other firewall allow it but pfsense require extra steps here?


  • Netgate

    Because other routers behave improperly out of the box.  pfSense requires the user to check a box to get the behavior.

    If you don't want to do it right, go here:

    System > Advanced > Firewall/NAT Tab > Network Address Translation


  • Banned

    @pfguy:

    @doktornotor:

    Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

    What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address

    Ugh… You just don't get it. It's NOT running on your pfSense box. Don't point clients there on LAN, simple. Point them to LAN. Stop playing ping-ping with packet headers. There's no need for the traffic to ever hit the firewall box, at all.

    (BTW, most "other firewall" just don't have any NAT reflection at all...)



  • @doktornotor:

    @pfguy:

    @doktornotor:

    Dude, you are connecting to where the server does NOT exist (your WAN). It's not about allowed or not. It's about pointing to WRONG place.

    What do you mean by pointing to the WRONG PLACE ? Nonsense! Its an internet address

    Ugh… You just don't get it. It's NOT running on your pfSense box. Don't point clients there on LAN, simple. Point them to LAN. Stop playing ping-ping with packet headers. There's no need for the traffic to ever hit the firewall box, at all.

    (BTW, most "other firewall" just don't have any NAT reflection at all...)

    ok, fair enough.. argument accepted ;)
    thanks