7

I have a one to one NAT on pfsense that assigns a public IP to an internal IP (running a web server).

When I open the public IP from an internal machine, it will not resolve to the internal IP, instead it opens the router web page.

When I open the public IP from outside my LAN it will go through to the internal IP that is running the web server.

Why can't I open the public IP internally?

Wesley
  • 32,320
  • 9
  • 80
  • 116
001
  • 491
  • 1
  • 11
  • 21

2 Answers2

4

I'm also guessing it will be the hairpin NAT issue as mentioned above. There are lots of different names for the same thing - pfSense calls this NAT Reflection.

At the bottom of the relevant NAT/port forward rule, check the 2nd option from the bottom - NAT reflection should be enabled.

The change the default for new rules, you can go to system, advanced, Firewall/NAT then under the Network Address Translation section, uncheck the first box that says Disable NAT Reflection for port forwards.

Also depending on your setup, you may need to disable the HTTP_REFERER and DNS Rebinding checks under System, Advanced, Admin Access. However I would try with the checks enabled first.

Robin Gill
  • 2,503
  • 13
  • 13
  • I have one ip with port forward, another ips use 1 to 1 nat, the ip used with port fowarding works :) however nat 1 to 1 does not work. – 001 Feb 20 '12 at 03:38
  • 1
    I'm guessing it may be easier for you to use split DNS so internal clients get the internal IP of your webserver rather than the actual external router IP. To do so, you will need to create an A record for www.yourwebsite.com to point to the internal/actual IP address of your webserver. To do so, assuming you are using pfSense for DNS, just go to the DNS forwarder section and make an entry at the bottom. If you are using Windows Server DNS, you can make an entry in DNS under Control Panel/Administrative Tools. – Robin Gill Feb 20 '12 at 20:48
0

Your router's web-based administration is on port 80, so when an inside machine accesses the router on port 80, that's what they get. Moving the router's web administration to another port (typically 8000 or 8080) might fix the problem, unless the router doesn't support hairpin NAT (NATing connections from the inside back to the inside) at all.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82