Print Page - LAN2LAN port forwarding question

Title: LAN2LAN port forwarding question
Post by: DenverTech on January 16, 2024, 08:36:17 PM

I'll admit I'm baffled by this one and it seems like it should be really easy...I'm clearly missing something.

I can port-forward all I want from WAN > LAN without issue. Example, WAN port 9999 forwards into a specific LAN device port 99. Easy. Works great.

Where I run into problems is LAN > LAN forwarding for ports that do hit the firewall (so this isn't a layer-2 issue, as it's not going from client -> server, but rather client -> fw -> forward to server). I know, I know...this is because someone keeps changing the IP of the LAN server and I want to update it on one spot, rather than inform a dozen users that the IP changed again. My goal is that they just go to a port on the firewall and it redirects them to wherever the LAN server is this week.

Firewall LAN IP is 192.168.0.1
LAN server is 192.168.0.5
NAT rule forwards firewall port 9999 to LAN server port 9999
Client machine goes to 192.168.0.1:9999. They should get 192.168.0.5:9999, but instead get a timeout. Firewall logs say that the traffic WAS redirected successfully. LAN server doesn't see any traffic from the client or the firewall.
Client machine goes to 192.168.0.5:9999. Site works fine
LAN server's internal firewall disabled to ensure it was not the cause of issues.
Tested with reflection enabled and disabled. No change

What am I missing here to redirect LAN to LAN?

Title: Re: LAN2LAN port forwarding question
Post by: Monviech (Cedrik) on January 16, 2024, 09:23:34 PM

For your issue DNS would be the better choice.

Just give the server an FQDN and give it to all users. When the IP changes just change the DNS A-Record. Or automate it with Dynamic DNS.

Title: Re: LAN2LAN port forwarding question
Post by: DenverTech on January 16, 2024, 10:05:33 PM

I agree, but would still like to figure out why I can't port redirect lan to lan.

Title: Re: LAN2LAN port forwarding question
Post by: Monviech (Cedrik) on January 17, 2024, 06:45:30 AM

Actually this is indeed a layer 2 problem.
When you port forward the traffic hits the firewall, gets redirected to the server, but because theyre in the same layer 2 broadcast domain, the client receives the mac address of the server and then tries to connect directly to it.

That would mean asymmetric routing which makes TCP connections fail with timeouts.

The only way around is to create DNAT and SNAT rules as explained here to create a Hairpin NAT:

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: DenverTech on January 16, 2024, 08:36:17 PM