pfSense Firewall and Manual DNS Entry Question

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
chilipepperz

chilipepperz

Active Member
Mar 17, 2016
212
64
28
54
I know when you have something hosted behind pfSense NAT, if you try accessing it from behind the firewall you're hosed because it's trying to prevent an attack.

Example. I have 1.1.1.1 public IP and NAT to 10.10.10.10, as yxz.zxy. If I try to get to yxz.zxy from a server at 10.10.10.11 it won't work.

What if I put a DNS entry in pfSense though that is a local entry mapping yxz.zxy to 10.10.10.10 to override external 8.8.8.8 DNS?

Will that work? I've never tried.
 
R

Rahvin9999

Active Member
Jan 14, 2016
135
86
28
Rotterdam, The Netherlands
On your PFSense box you can make host and domain overrides for both the DNS Forwarder and the DNS Resolver (depending on which one you use) .
If the host you are running the DNS query from has your PFSense box set as DNS server it would work.

And if as vinceflynow points out you mean nat reflection. Which means you want to reach the internal service on its external ip. That too is possible.
System > advanced settings > firewall and nat settings. then under the heading Network Address Translation. Is where you can set up the mode for this.
 
  • Like
Reactions: Patrick
chilipepperz

chilipepperz

Active Member
Mar 17, 2016
212
64
28
54
It sounds like what I'm contemplating setting up will work. I will get provisioning later and hope it does indeed work.

Doesn't everyone hosting owncloud at home need this?
 
vl1969

vl1969

Active Member
Feb 5, 2014
634
76
28
am I missing something ?
I do not understand why wouldn't you be able to access your yxz.zxy machine from inside the LAN properly?
unless you configuring your clients and network wrong.

again I am not a network guru or anything, BUT
do you use the pfSense box only for firewall or both FW and Router (looks like the second option from the post.).
are all your clients static IP or DHCP?

if it is used as both, than how you NAT to outside is irrelevant, internally, if you use manual / Static IP
your DNS should point to your pfSense first and any other DNS second.
that is : as an example.

your outside IP is 1.1.1.1 go into your pfSense box --> which has NIC1(WAN) = 1.1.1.1
and NIC2(LAN) = set in 10.10.10.1 for example.
so any and all clients need to use the 10.10.10.1 as a gateway AND as first DNS server.

this way anytime you request DNS translation (any time you try to hit an address or url) it will request the translation form your pfSense first and if that not work (and it should work always unless you have some restriction rules ) try the alternative DNS server. this way when you are inside the FW any name or address will route properly.
now from the outside the routing is based on the pfSense rules setuped.

am I wrong?
 
JustinH

JustinH

Active Member
Jan 21, 2015
124
76
28
48
Singapore
Your looking for what’s called Hairpin NAT. It’s doable, just usually requires a extra rule or two.


Sent from my iPhone using Tapatalk
 
You must log in or register to reply here.
Top Bottom