3

I'm trying to access a server on my LAN via its public IP address. External clients can connect just fine, but I'm unable to do so from within the LAN. There is a separate rule in the NAT settings of my gateway (which translates subnet addresses to the public interface IP, but is otherwise identical), but it doesn't appear to be working properly.

How would I correctly set things up to access a local resource via a public IP address?

Bigbio2002
  • 2,763
  • 11
  • 34
  • 51

3 Answers3

6

The most common problem is that your gateway rewrites the destination address of the packet to the internal server, but not the source. So, when the internal server responds it sees that the packet came from something on the local network, sends back the packet directly - and the client can't tell this is from the server, because the packet still has the internal, not the public, address on it.

The standard fix is to force the traffic to come back through your gateway. One way to achieve that is to put the server that the public address redirects to in a "DMZ", so that traffic between the client and the server has to pass through the router.

The other way is to also apply NAT to the source address of internal connections to the external IP, so that they look like they come from the gateway. The internal server will then respond to the gateway, that will undo both NAT changes, and send the packet back to the internal client.

Daniel Pittman
  • 5,692
  • 1
  • 22
  • 20
  • I think you're right in your last paragraph, as the only thing that differs between the working rule for external access and the non-working rule for internal access is the source mapping. What exactly should I map it to, the gateway's public IP? Also, do you think that I need to enable a firewall rule to allow traffic to return to me? – Bigbio2002 Feb 01 '12 at 22:31
  • 1
    You need to change the source address so the packet comes back through the firewall that performed the NAT. Generally, either the public or the private address will work. I typically use the private address, because it is easier if the provider ever changes your IP or whatever. – Daniel Pittman Feb 01 '12 at 22:35
  • ...as to the firewall rule: that totally depends on the device. Some do, some don't. I would try without, check the logs when you try to connect, and see if they are blocking the packets. – Daniel Pittman Feb 01 '12 at 22:36
  • Hmm, it's not working. These rules used to work, but we physically moved to a new site about a month ago, and after that they've inexplicably failed to work. What factors during a move could have affected it? All that was changed were the interface IP settings. – Bigbio2002 Feb 01 '12 at 22:48
  • No idea. I would go hunting in the logs, but my guess is something in that IP change has resulted in a rule that doesn't apply as expected any longer. (Remotely possibly, on the server you redirect to, but most likely on the device.) – Daniel Pittman Feb 01 '12 at 22:49
  • One interesting thing I noticed... the WAN interface IP is the same public IP for the server in question that I'm trying to access. Think that might have something to do with it? – Bigbio2002 Feb 01 '12 at 23:01
  • Yeah, duplicate IP addresses anywhere will cause a problem. That is a very likely candidate. Make sure every IP address is unique. :) – Daniel Pittman Feb 01 '12 at 23:04
  • Are Sonicwalls actually capable of performing Hairpin NAT? – Bigbio2002 Feb 22 '12 at 23:07
2

I know it isn't what you are asking, but the way I've setup my internal network is via split DNS: machines within the network get internal addresses when looking up home.domain.tld, mail.domain.tld and so forth. No address translation to worry about (well, unless there is something else between the client and server of course), nothing client-side cares that it is not talking to a publicly routeable address, server-side will only care if you have things specifically binding to the external interface and not the other(s), and unlike with NAT all the internal hosts don't look the same in log files (which can be a help if you need to use said logs to diagnose a problem being experienced on the local network).

David Spillett
  • 22,534
  • 42
  • 66
-1

It sounds like you have tried to use split DNS (DNS forwarder). You probably need to check af few of the checkmarks on the DNS forwarder page. See this example and check acording to the exmaple. http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

I had the same problem and it seemed to do the trick.

Tillebeck
  • 511
  • 1
  • 4
  • 19