|
||||||||
Guys..listen to this: *Problem. *It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind pfSense and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN. *Reason. *This is due to a limitation in pf (the firewalling software used in pfSense). pfSense does not include a "bounce" utility at this time Ok, we all know that, but, looking at here: http://www.openbsd.org/faq/pf/rdr.html#reflect it propose 3 solutions, the first one is the same that m0n0 FAQ's propose, fordwarding/overriding of DNS. Now, the second..catch my attention, it says this: Moving the Server Into a Separate Local Network Adding an additional network interface to the firewall and moving the local server from the client's network into a dedicated network (DMZ) allows redirecting of connections from local clients in the same way as the redirection of external connections. Use of separate networks has several advantages, including improving security by isolating the server from the remaining local hosts. Should the server (which in our case is reachable from the Internet) ever become compromised, it can't access other local hosts directly as all connections have to pass through the firewall. So, that means that if I have my NATed services in a different interface (other than the LAN) e.g. a DMZ, is it possible to access this NATed services from the LAN Subnet?? and is that is correct, HOW do I redirect connections from local clients in order to access the NATed services on DMZ? Regards, Claudio C. |