Access via domain name from internal host
-
Hi, I just upgraded my ISP router+modem to a pfsense box (and downgraded the ISP router+modem to just a modem). I have port forwarding setup and all seems to be working except for one item. On the LAN I have a webserver among other things. I can access this webserver's website from external hosts using the domain name. But I cannot do the same from other internal LAN hosts which share the same subnet as the web server. I can access the web server using the webserver's LAN IP from a an internal LAN host, but this is not preferable. I was able to do this using the ISP router+modem automagically and I imagine I need to configure for this on the pf sense router to enable it. I drew a diagram in the attachment. Thanks for your help and tips in advance.
-
So you don't have an internal DNS, I assume.
If you use DNS forwarder or resolver on pfSense you can add the webserver name and address to host overrides in the particular config.If your LAN host use an external DNS use NAT reflection to resolve this. Edit the port forwarding rule for the webserver, down at NAT reflection select "Enable (NAT + proxy). Maybe this is what your route have done.
-
thank you. I first tried adding a host override to the dnsforwarder. This allowed internal hosts to reach the web server via the domain name but the port forward rule (443->5001) did not apply. So then I removed the host override and tried adding nat reflection NAT + proxy to the specific nat port forward rule for the web server and that fixed it!
Incidentally, I had enabled pure NAT reflection at the global level in system->advanced (I was anticipating this issue at setup). Will NAT+Proxy at the individual rule level and global pure NAT conflict somehow?
-
Incidentally, I had enabled pure NAT reflection at the global level in system->advanced (I was anticipating this issue at setup). Will NAT+Proxy at the individual rule level and global pure NAT conflict somehow?
No, you can use different setting for each rule. So pure NAT is your global setting and is overridden by the setting in the particular NAT rule.
You may also set NAT + proxy globally in System > Advanced > Firewall / NAT, but proxy mode has some disadvantages as described there.
-
I can access this webserver's website from external hosts using the domain name.
Ok, but perhaps a DMZ would be a way to think about!?
But I cannot do the same from other internal LAN hosts which share the same subnet as the web server. I can access the web server using the webserver's LAN IP from a an internal LAN host, but this is not preferable.
You need something like NAT reflection or also called hairpin NAT to solve this out!
-
Why would you not just listen on 443 the standard ssl port… Then you could access it externally and internally with just https://fqdn
What purpose does listening on 5001 vs 443 serve when your forwarding 443 from the public side??
Nat reflection should really be be avoided whenever possible.. And really don't see as needed here if you just listen on the standard port, or just forwarded 5001 to 5001 and used the url https://fqdn:5001 both external and internal