Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
LAN2LAN port forwarding question
« previous
next »
Print
Pages: [
1
]
Author
Topic: LAN2LAN port forwarding question (Read 827 times)
DenverTech
Newbie
Posts: 49
Karma: 3
LAN2LAN port forwarding question
«
on:
January 16, 2024, 08:36:17 pm »
I'll admit I'm baffled by this one and it seems like it should be really easy...I'm clearly missing something.
I can port-forward all I want from WAN > LAN without issue. Example, WAN port 9999 forwards into a specific LAN device port 99. Easy. Works great.
Where I run into problems is LAN > LAN forwarding for ports that do hit the firewall (so this isn't a layer-2 issue, as it's not going from client -> server, but rather client -> fw -> forward to server). I know, I know...this is because someone keeps changing the IP of the LAN server and I want to update it on one spot, rather than inform a dozen users that the IP changed again. My goal is that they just go to a port on the firewall and it redirects them to wherever the LAN server is this week.
Firewall LAN IP is 192.168.0.1
LAN server is 192.168.0.5
NAT rule forwards firewall port 9999 to LAN server port 9999
Client machine goes to 192.168.0.1:9999. They should get 192.168.0.5:9999, but instead get a timeout. Firewall logs say that the traffic WAS redirected successfully. LAN server doesn't see any traffic from the client or the firewall.
Client machine goes to 192.168.0.5:9999. Site works fine
LAN server's internal firewall disabled to ensure it was not the cause of issues.
Tested with reflection enabled and disabled. No change
What am I missing here to redirect LAN to LAN?
«
Last Edit: January 16, 2024, 08:49:50 pm by DenverTech
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: LAN2LAN port forwarding question
«
Reply #1 on:
January 16, 2024, 09:23:34 pm »
For your issue DNS would be the better choice.
Just give the server an FQDN and give it to all users. When the IP changes just change the DNS A-Record. Or automate it with Dynamic DNS.
Logged
Hardware:
DEC740
DenverTech
Newbie
Posts: 49
Karma: 3
Re: LAN2LAN port forwarding question
«
Reply #2 on:
January 16, 2024, 10:05:33 pm »
I agree, but would still like to figure out why I can't port redirect lan to lan.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: LAN2LAN port forwarding question
«
Reply #3 on:
January 17, 2024, 06:45:30 am »
Actually this is indeed a layer 2 problem.
When you port forward the traffic hits the firewall, gets redirected to the server, but because theyre in the same layer 2 broadcast domain, the client receives the mac address of the server and then tries to connect directly to it.
That would mean asymmetric routing which makes TCP connections fail with timeouts.
The only way around is to create DNAT and SNAT rules as explained here to create a Hairpin NAT:
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
LAN2LAN port forwarding question