Netgate SG-1000 microFirewall

Author Topic: Web site on DMZ can't connect from LAN  (Read 3406 times)

0 Members and 1 Guest are viewing this topic.

Offline SFM

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Web site on DMZ can't connect from LAN
« on: September 20, 2006, 08:18:41 am »
I have just setup a PFSENSE firewall and have almost everything working.

I have my web site and mail server setup on the DMZ using 1:1 Nat.
I have the reset of my network on the LAN.

Everything works from outside when I connect to the DMZ but when connecting from the LAN I can not use the real IP address or domain name (times out).

I have read a little about NAT reflection I think its called, is this what I need to enable? (It didn't seem to help when I enabled it if this is the answer)
OR
Do I need to put my DMZ connections in my DNS server on the LAN?
OR
Is there something else I need to do?

Thanks for any help
SFM

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Web site on DMZ can't connect from LAN
« Reply #1 on: September 20, 2006, 08:23:09 am »
NAT reflection only works for single portforwards and only for portranges less than 500 ports. It doesn't work for 1:1 NAT. Either use a portforward for your DMZ Server instead of a 1:1 NAT or use a Split DNS setup like you already mentioned (make the LAN DNS resolve the Domainname as the internal DMZ IP of the server).

Offline SFM

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Web site on DMZ can't connect from LAN
« Reply #2 on: September 20, 2006, 08:26:56 am »
Thanks for your quick reply.

I will give the split DNS setup a try.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: Web site on DMZ can't connect from LAN
« Reply #3 on: September 20, 2006, 12:25:14 pm »
You may be able to install port forwards on top of the 1;1 for the services you wish to reach from the DMZ.  Give it a try.

Offline SFM

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Web site on DMZ can't connect from LAN
« Reply #4 on: September 20, 2006, 01:58:30 pm »

If I am sitting on the lan and what to go to a server on the DMZ using the real outside ip address.

Is this possible?

I know I can use the fake address and get there but is there a setting or something to use real ips on the Lan.

The reason I ask is because I have a server that is accessed by using the real ip address from outside.
Users on the LAN are use to using this ip and I would like them to continue using it from the LAN.

Is this possible?


Thanks,
SFM

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Web site on DMZ can't connect from LAN
« Reply #5 on: September 20, 2006, 02:18:46 pm »
Yes, if you use portforwards and turn on nat reflection at system>advanced. Won't work for 1:1 nats. Maybe my answer above was not clear enough.

Offline SFM

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Web site on DMZ can't connect from LAN
« Reply #6 on: September 20, 2006, 02:22:47 pm »
Can you use a Email Server behind Port Forwarding?

I have heard there are issues with sending out email using port forwarding because the email message leaves the network under the ip of the firewall and not the ip of the mail server.

Is this a true statement?

What reason is there for using 1:1 over Port Forwarding?
« Last Edit: September 20, 2006, 02:24:21 pm by SFM »

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Web site on DMZ can't connect from LAN
« Reply #7 on: September 20, 2006, 02:29:39 pm »
You can use advanced outbound NAT for this, if you need the emailserver to use a VIP. Basically 1:1 nat is a combination between portforwarding all ports and advanced outbound nat for this host. As you mailserver only needs few ports (maybe even only port 25 to receive and send mail) a portforward with an appropriate advanced outbound rule gives you nat reflection to be used at lan.

Offline SFM

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Web site on DMZ can't connect from LAN
« Reply #8 on: September 20, 2006, 02:38:03 pm »
Thanks for your help,

I have one last queston:

"NAT reflection only works for single portforwards and only for portranges less than 500 ports. It doesn't work for 1:1 NAT. Either use a portforward for your DMZ Server instead of a 1:1 NAT or use a Split DNS setup like you already mentioned (make the LAN DNS resolve the Domainname as the internal DMZ IP of the server)."

When you say "Nat reflection only works for single portforwards" does that mean you have to have a separte rule for every port you want to forward?
or
You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server)

Thanks again,
SFM

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Web site on DMZ can't connect from LAN
« Reply #9 on: September 20, 2006, 05:53:36 pm »

You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server)


I don't get that part of your question but natreflection will work for all portforwards that you add if the range of the portforward is less than 500 ports.