next »

[jhavers]

Hi all,

I have the following question: How can I use public IP's on the LAN?
I did read the FAQ on this item but I can't get it to work.

The FAQ states: "you need to disable NAT to use a public IP subnet on the LAN. Just enable Advanced Outbound NAT, and remove the automatically generated NAT rule to accomplish this." Nice, but what do I have to change in the webinterface to get it working...

I tried changing pfsense behavior in the following places (with no succes):
1. System \ Advanced: Network Address Translation Disable NAT Reflection Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.
2. Firewall \ NAT \ Outbound: Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

Lets say my client machine on the LAN wants to access my webserver which is also on the LAN (for now) via the WAN address.
My WAN address is xyz.dyndns.org and the webserver is NATed to an ip on the LAN (from the outside it is accessible).
What step do I have to take, so that the client machine can read the webserver via http://xyz.dyndns.org.

I hope someone can tell me the steps to get this working correctly.

Regards,
Joost.

[sullrich]

Search for reflection.

[Assar]

Search for reflection.

Joining the thread.

I've searched this, but found no working solution.
My external IP-range is 82.*.*.0 /26
Servers have local IP:s and I'm using 1:1 NAT mapping.
How can I kind of loop back via rules?

  // Assar

Update:
Found a way to override DNS.
Add servers in "Services/DNS forward".
This seems to work.

Could be nice to be able to add a checkbox on 1:1 mapping if adress should be maped or not.

[GruensFroeschli]

NAT-Reflection does not work with 1:1 NAT

You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

[Assar]

Thanks!
My workaround seems to work well as long as everybody uses hosts listed in "Services: DNS forwarder".
I have to instruct developers not to use external IP-adresses.
This way external IP:s are avoided on LAN.

  // Assar

[jhavers]

Solution for NAT via Port Forwarding:

System : Advanced : Network Address Translation
=> Uncheck the box in front of "Disables the automatic creation of NAT redirect rules for
   access to your public IP addresses from within your internal networks. Note: Reflection
   only works on port forward type items and does not work for large ranges > 500 ports."

Regards,
Joost.

[garg_art2002]

Search for reflection.

Is NAT reflection check box an old feature?

[hoba]

It has been around quite some time already and if you search the forum you'll find quite old threads about it too.

[garg_art2002]

It has been around quite some time already and if you search the forum you'll find quite old threads about it too.

I can not find the check box named reflection. May be I am just getting blind. Please help with the menu name in pfsense 1.2 final release. Thanks.

[GruensFroeschli]

sticky:

System:
Advanced:
If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"

[garg_art2002]

sticky:

System:
Advanced:
If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"

Thanks a ton.  I have a public IP mapped to an internal lan IP host/server on port 80.  When my lan machine try to reach this server through the public IP it does not work. It works if I use private IP or when I am trying to reach the server  from outside the firewall.

If I disable the automatic creation of NAT redirect rules for access to your public IP addresses from within my internal networks, this behavior would disappear?

Am I on the right track here?

[GruensFroeschli]

I'm not really sure what you mean.
To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.

Why would you want to disable the autocreation of NAT rules?

[garg_art2002]

I'm not really sure what you mean.
To access your server via the public IP just uncheck, as several users already suggested, the "Disable NAT Reflection" checkbox.

Why would you want to disable the autocreation of NAT rules?

I am not sure I did... I think disable checkbox "on" is the default pfsense from installation..

[GruensFroeschli]

yes.
Per default the checkbox is "on".    (meaning no reflection rules will be installed)
But you have to turn the box "off". (meaning the reflections will be installed)

[garg_art2002]

yes.
Per default the checkbox is "on".    (meaning no reflection rules will be installed)
But you have to turn the box "off". (meaning the reflections will be installed)

Thanks - you are a hero!