[pfSense-discussion] access NATed services by the public IP address from LAN review
Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a bounce utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C.
Re: [pfSense-discussion] access NATed services by the public IP address from LAN review
Do you have a question? On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a bounce utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C.
Re: [pfSense-discussion] access NATed services by the public IP address from LAN review
Scott Ullrich escribió: Do you have a question? Of course, cant you read? So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? And let me add another question, does pfsense include a bopunce utility at this time? On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a bounce utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C.
Re: [pfSense-discussion] access NATed services by the public IP address from LAN review
Someone hasn't done their research. This has been answered in the ML, the forum, the FAQ, AND the blog. --Bill On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Scott Ullrich escribió: Do you have a question? Of course, cant you read? So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? And let me add another question, does pfsense include a bopunce utility at this time? On 1/6/06, Claudio Castro [EMAIL PROTECTED] wrote: Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a bounce utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C.
Re: [pfSense-discussion] access NATed services by the public IP address from LAN review
Bill Marquette wrote: Someone hasn't done their research. This has been answered in the ML, the forum, the FAQ, AND the blog. *AND* today on the m0n0wall list, where he originally sent this message, and got my answer 8 minutes before sending the message again to this list.
Re: [pfSense-discussion] Allowing pings on a virtual interface
Thanks Scott, That was exactly what I was missing! A quick 1:1 and everything was good to go! K. On Fri, Jan 06, 2006 at 03:34:19PM -0500, Scott Ullrich wrote: The only way to do this is to 1:1 the mail server then allow ping to the external ip. On 1/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am able to allow pings on my WAN interface, but there is a second address that forwards over to my mailserver that I would like to be able to ping. How do I go about doing that? I added rules to the host that is on the LAN, as well as creating a rule for the externally address and still no response. K.