[ previous ] [ next ] [ threads ]
 From:  Claudio Castro <ccastro at unr dot edu dot ar>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  access NATed services by the public IP address from LAN review
 Date:  Fri, 06 Jan 2006 10:17:13 -0300
Guys..listen to this:

*Problem. *It is not possible to access NATed services using the public 
(WAN) IP address from within LAN (or an optional network). Example: 
you've got a server in your LAN behind pfSense and added a NAT/filter 
rule to allow external access to its HTTP port. While you can access it 
just fine from the Internet, you cannot access http://your-external-ip/ 
from within your LAN.

*Reason. *This is due to a limitation in pf (the firewalling software 
used in pfSense). pfSense does not include a "bounce" utility at this time

Ok, we all know that, but, looking at here: 
http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, 
the first one is the same that m0n0 FAQ's propose,  
fordwarding/overriding of DNS. Now, the second..catch my attention, it 
says this:

      Moving the Server Into a Separate Local Network

Adding an additional network interface to the firewall and moving the 
local server from the client's network into a dedicated network (DMZ) 
allows redirecting of connections from local clients in the same way as 
the redirection of external connections. Use of separate networks has 
several advantages, including improving security by isolating the server 
from the remaining local hosts. Should the server (which in our case is 
reachable from the Internet) ever become compromised, it can't access 
other local hosts directly as all connections have to pass through the 

So, that means that if I have my NATed services in a different interface 
(other than the LAN) e.g. a DMZ, is it possible to access this NATed 
services from the LAN Subnet??
and is that is correct, HOW do I redirect connections from local clients 
in order to access the NATed services on DMZ?


Claudio C.