1:1 NAT mapping and routing

Endosavian

Hello!

I have a question regarding 1:1 NAT mapping. I have two servers each with one 1:1 mapped ips, i.e.

server A: 80.0.0.100 to internal ip 10.0.20.100
and
server B: 80.0.0.101 to internal ip 10.0.20.101

Now if server A is running a web-server and i want to access that web-server specifically though the external ip from server B. How do i do that?

Right now if i from server B visit 80.0.0.100 i end up at the pfsense webGUI. How can i tell pfsense to translate the Ips like this?

10.0.20.101 (server B) -> 80.0.0.100 (server A external) -> 10.0.20.100 (server A internal)

Right now i think this happens:
10.0.20.101 (server B) -> 80.0.0.100 (pfsense)

Any tips on how to solve this? I am required to use the external IPs on the machines but they have to resolve correctly and not to pfsense :)

viragomann

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Derelict

I am required to use the external IPs on the machines

Curious.  Why?

Endosavian

@viragomann:

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

@Derelict:

I am required to use the external IPs on the machines

Curious.  Why?

Thanks for pointing me in the right direction. I have now read about the two options NAT reflection and split-DNS. Based on some forum posts NAT-reflection seems to be a not advised way (hack?) https://forum.pfsense.org/index.php?topic=98764.0

What i have is external clients accessing server B. The clients only know the external IP of server A which they need to input on a web page running on server B. Thus the clients use the external ip and the systems need to be able to talk to each other via this ip. Since they dont use hostnames i cannot use split-DNS.

And since the pfsense box has quite many firewall and NAT-rules, nat 1:1 mappings, carp etc etc i think enabling NAT reflection is a dangerous operation since i cannot predict the outcome.

For instance https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing. How does this affect a 1:1 mappings? And do i need to edit any existing port forward rules that have Destination-> Type: WAN address?

I wonder if i cannot solve this on server B with ip-tables instead translating external ip to internal ip on the server itself (less risky)

viragomann

@Endosavian:

What i have is external clients accessing server B. The clients only know the external IP of server A which they need to input on a web page running on server B. Thus the clients use the external ip and the systems need to be able to talk to each other via this ip. Since they dont use hostnames i cannot use split-DNS.

If you want to communicate with another internal host you need its internal IP. You can get it from DNS or let pfSense redirect the response by NAT reflection.
If don't use DNS and you have to use the external IP, NAT reflection will be your only option.

@Endosavian:

For instance https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing. How does this affect a 1:1 mappings? And do i need to edit any existing port forward rules that have Destination-> Type: WAN address?

This issue was provoked by an improperly configured NAT rule.

@Endosavian:

I wonder if i cannot solve this on server B with ip-tables instead translating external ip to internal ip on the server itself (less risky)

This could be another option.

Endosavian

@viragomann:

@Endosavian:

What i have is external clients accessing server B. The clients only know the external IP of server A which they need to input on a web page running on server B. Thus the clients use the external ip and the systems need to be able to talk to each other via this ip. Since they dont use hostnames i cannot use split-DNS.

If you want to communicate with another internal host you need its internal IP. You can get it from DNS or let pfSense redirect the response by NAT reflection.
If don't use DNS and you have to use the external IP, NAT reflection will be your only option.

@Endosavian:

For instance https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing. How does this affect a 1:1 mappings? And do i need to edit any existing port forward rules that have Destination-> Type: WAN address?

This issue was provoked by an improperly configured NAT rule.

@Endosavian:

I wonder if i cannot solve this on server B with ip-tables instead translating external ip to internal ip on the server itself (less risky)

This could be another option.

Hi. Yes NAT-reflection or iptables DNAT seems to be the options here.

If i enable NAT-reflection (Pure NAT), will i need to re-create all my NAT-rules or will pfsense add the NAT-reflection rules for pre-existing NAT-rules?

Derelict

Your solution to all your problems is to set up Split DNS and have your users use hostnames, not IP addresses. Then it's all the same from the users' perspectives, inside or outside.

divsys

Unless the application the clients are typing into doesn't accept FQDN's, only an IP.

Yeah, yeah, yeah I know that's just WRONGTM, but welcome to the real world (this is only a guess on my part and hopefully I'm off-base)…....

Derelict

Then turn on NAT reflection. You have no choice. PoS.

viragomann

You can enable NAT reflection in "System: Advanced: Firewall and NAT" or also per rule.
There is no need to recreate rules. The rules added by NAT reflection are invisible.