Whycan'tIaccessforwardedportsonmyWANIPfrom
myLAN/OPTxnetworks
FromPFSenseDocs
Bydefault,pfSensedoesnotredirectinternallyconnecteddevicestoreachforwardedportsand1:1NATonWANinterfaces.If
aclientistryingtoreachaserviceonport80or443(ortheportawebinterfaceisusingifithasbeenchanged),theconnection
willhitthewebinterfaceandtheywillbepresentedwithacertificateerroriftheGUIisrunningHTTPS,andaDNSrebinding
errorsinceit'sanunrecognizedhostname.
NATReflectionemploystechniquestoredirecttheseconnectionsifrequired.SplitDNSisusuallythebetterwayifitis
possibleonanetworkbecauseitallowsforretainingoftheoriginalsourceIPandavoidsunnecessarilyloopinginternaltraffic
throughthefirewall.Bothareexplainedhere.
Method1:NATReflection
InordertoaccessportsforwardedontheWANinterfacefrominternalnetworks,NATreflectionmustbeenabled.
Inordertodothis,navigatetoSystem>Advanced,Firewall/NATtab.Onthatpage,selectPureNATforNATReflection
modeforportforwards,checkEnableNATReflectionfor1:1NAT,andcheckEnableautomaticoutboundNATfor
Reflection.ClickSave.
PureNATmodeforportforwardreflectionsusesonlypfNATrulestoaccomplishreflectionwithoutanyexternaldaemons.It
willworkwithTCP,UDP,andotherprotocols.
NAT+ProxymodeforportforwardreflectionsetsupaproxydaemonandrulestoreceiveandreflectonlyTCPconnections.
ThismethodtheonlyavailablemeansofreflectioninearlierversionsofpfSense.Itcanworkincertainrarecircumstances
wherePureNATmodedoesnot.Thiswillonlyworkwithsingleportforwardsorrangesoflessthan500ports.Itdoesnot
workwithUDPorotherprotocols.
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks 1/3
4/10/2016 Whycan'tIaccessforwardedportsonmyWANIPfrommyLAN/OPTxnetworksPFSenseDocs
ExampleofsystemwithNATReflectionenabled.
Method2:SplitDNS
ThemoreelegantsolutiontothisprobleminvolvesusingSplitDNS.Basicallythismeansthatinternalandexternalclients
resolvehostnamesdifferently.
Internalclientswouldaccessresourcesbyhostname,notIP,andclientsonthelocalnetworkwouldresolvethathostnametothe
LANIPaddressoftheactualserver,andnottheWANIPasothersoutsidethenetworkwouldsee.
InorderforthistoworkusingtheDNSForwarderorResolverinpfSense,clientswillneedtohavetheIPAddressofthe
pfSenserouterastheirprimaryDNSserver.
Example:
www.example.comresolvestopublicIP1.2.3.4,whichistheWANIP
Forwardport80on1.2.3.4toport80on192.168.1.5
Overridewww.example.comusingSystem>DNSResolver(orDNSForwarder,ifusingitinstead)andpoint
www.example.comto192.168.1.5
AnotherinternalDNSmechanismcouldalsobeusedtoenacttheoverride.
Screenshotsthatshowtheaboveinpractice:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks 2/3
4/10/2016 Whycan'tIaccessforwardedportsonmyWANIPfrommyLAN/OPTxnetworksPFSenseDocs
SplitDNSExample,addingDNSOverride
SplitDNSExample,www.example.comoverriddenas192.168.1.5
Retrievedfrom"https://doc.pfsense.org/index.php?
title=Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks&oldid=7418"
Thispagewaslastmodifiedon7January2016,at01:24.
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks 3/3