Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Access an internal system from inside?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Access an internal system from inside? (Read 1911 times)
ember1205
Newbie
Posts: 24
Karma: 0
Access an internal system from inside?
«
on:
July 30, 2021, 07:26:01 pm »
Quick description of the setup: I have a server running on my internal network that I need to access from outside. I have configured port-forwarding and firewall rules to make this function correctly. The device is positioned on what can be thought of as "inside" (not a DMZ).
I have an additional need to be able to access this same server from other machines on my internal network but I have to access them using the externally-resolvable DNS FQDN for it. If I try to do this now, it fails because it is attempting to resolve to and connect to the WAN Interface Address of the firewall.
I need some help in understanding where there may be a missing rule or setting that will allow these connections to pass through correctly.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Access an internal system from inside?
«
Reply #1 on:
July 30, 2021, 09:49:20 pm »
You can use NAT reflection (a.k.a. hairpin) to allow the traffic to go towards the WAN and back into the LAN, but it is not best practice. There is no need for the traffic to touch the firewall at all since it is between internal hosts. It adds to the load, increases latency and makes firewall packet captures harder.
If you can, set up split DNS:
https://en.wikipedia.org/wiki/Split-horizon_DNS
or use multicast DNS inside your network (a.k.a. Avahi, Bonjour, Zeroconf). Both provide a local solution for your name resolution.
If you do want to use it, check
https://docs.opnsense.org/manual/nat.html
look for NAT reflection
Bart...
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: Access an internal system from inside?
«
Reply #2 on:
July 30, 2021, 10:28:58 pm »
@bartjsmit Correct, but split DNS is such a pain in the a... I'd rather use hairpin (and I do).
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
ember1205
Newbie
Posts: 24
Karma: 0
Re: Access an internal system from inside?
«
Reply #3 on:
July 30, 2021, 11:53:09 pm »
Thanks for the replies.
I have tried the reflection component and it does not seem to work. I am able to access everything as expected from outside, but not inside.
I should also mention that I do understand there is no "need" for what I am asking based on basic usage principles, but this is kind of a unique situation where I actually do need it to work this way and this access happens infrequently and for a short period only during the middle of the night by an automated routine.
Logged
errored out
Full Member
Posts: 171
Karma: 3
Re: Access an internal system from inside?
«
Reply #4 on:
August 12, 2021, 01:35:19 am »
Do you need to have a externally-resolvable DNS because you are using signed certificates? Trying to figure out if you could simple use a DNS override in your lookup table.
Logged
ember1205
Newbie
Posts: 24
Karma: 0
Re: Access an internal system from inside?
«
Reply #5 on:
August 12, 2021, 04:36:08 am »
I ended up getting this to work via the refelection. I pulled out the handful of rules that I had in place, restarted everything, then re-added the rules and it began working correctly.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Access an internal system from inside?