pfSense English Support > NAT

3 Problems for a newby using pfsense: NAT, Internal Access, and Internet Access

(1/4) > >>

Afternoon everyone, I'll start with an apology for the length of the post!
I've just migrated from raqcop to pfsense, and I currently have three problems:

LAN is
OPT1 is (known as Orange)

1) NAT from OPT1 to two LAN addresses
I've got an incoming rule that directs web traffic to the web server on opt 1, and that is forwarding and working.
My web server is running a reverse proxy that forwards traffic to two separate machines on my LAN depending on the address, e.g. (URL rewrite to (URL rewrite to
Both machines are running on the same port and ideally, I'd like to keep it that, can I create a NAT rule that allows traffic from OPT1 to two separate address on the LAN?

2) I've got no internet access from OPT1: I've created a rule for OPT1: I don't want to allow opt to any if I can help it.

3) Unable to access my network internally via its full url: e.g. or

When putting the web address in, I was being redirected to the pfsense menu, So I enable the option:
"Disable webConfigurator redirect rule"

Now I get nothing, this is causing me problems with some of my media systems that use the global URL. (like laptops and mobiles)

I would appreciate any help that anyone would happy to give me.

I've attached a copy of my OrangeLan Rules, and my NAT rules.

Can anyone help at all please?

Setting Pure NAT for NAT reflection mode sorted out the issue of not being able to access the external address internally. That is one problem (3) sorted.

It really feels like I'm talking to myself here. lol

Using this post below, I managed to get the DMZ talking to the outside world, but blocked from the LAN or firewall.

1) NAT from OPT1 to two LAN addresses
there is no local NAT between interfaces. Just rules.

2) I've got no internet access from OPT1: I've created a rule for OPT1
Surely with that ruleset  ;-)
Destination WAN address is exactly that: the WAN address of your pfSense. I doubt you want to sent traffic there. Same with WAN net which defines the transit network between your WAN IF and your ISP.

Here's how lots of us do it:
Since rules are processed top to bottom with "first match wins" you have to take care of the rules order.
You may want to create an alias for RFC1918 networks first.
Add a block rule to this alias preventing OPT1 to anything local (RFC1918). In your case you might want to create an allow rule to your LAN hosts on top of this block rule as well.
Then create an allow * rule for everything not local (aka internet).
You might need rules for DNS, SNTP, what-have-you as well.

3) Unable to access my network internally via its full url: e.g. or
You can do that with NAT reflections or you setup a split-DNS where your local DNS server points the URLs in question to the local IPs. Split-DNS is the more mature way of doing it while reflections are considered a hack by some. At least the traffic has to travers your router in and out to reach its destination which is avoided with split DNS.


[0] Message Index

[#] Next page

Go to full version