Accessing Port Forwards from Local Networks¶
By default, pfSense® software does not redirect internally connected devices to
forwarded ports and 1:1 NAT on WAN interfaces. For example, if a client on LAN
attempts to reach a service forwarded from WAN port
connection will hit the firewall web interface and not the service they intended
to access. The client will be presented with a certificate error if the GUI is
running HTTPS, and a DNS rebinding error since the GUI rejects access for
NAT Reflection employs techniques to redirect these connections. Split DNS is an alternate technique to accomplish the same goal. Split DNS is the best practice because it allows for retaining of the original source IP address and avoids unnecessarily looping internal traffic through the firewall. Both techniques are explained in this document.
Method 1: NAT Reflection¶
To access ports forwarded on the WAN interface from internal networks, NAT reflection must be enabled:
Navigate to System > Advanced, Firewall & NAT tab
Configure the following options in the Network Address Translation section of the page:
- NAT Reflection mode for port forwards
Pure NAT mode is the best choice if NAT reflection must be activated, but it may not work for all scenarios. See NAT Reflection mode for Port Forwards for details on each of the NAT reflection modes.
- Enable NAT Reflection for 1:1 NAT
- Enable automatic outbound NAT for Reflection
Method 2: Split DNS¶
Split DNS is the best practice to solve this problem and it is a much more elegant solution than NAT reflection. Split DNS is a configuration where internal and external clients resolve hostnames differently.
In this scenario, internal clients access resources by hostname, not IP address. Clients on the local network resolve that hostname to the actual LAN IP address of the server, and not the WAN IP address as others outside the network would see.
For this to work using the DNS Resolver or Forwarder in pfSense software, clients must use the IP Address of the firewall as their primary DNS server.
If the clients all use some other internal DNS server not on the firewall, such as Active Directory, split DNS can still work. Configure the internal DNS server in a similar manner to what is described in this section.
www.example.comresolves to public IP address
184.108.40.206, which is the WAN IP address of the firewall
The firewall is configured to forward port
192.168.1.5, the internal web server.
www.example.comusing Services > DNS Resolver (or DNS Forwarder, if that is active instead) and point
Screenshots that show the above in practice: