Access an internal system from inside?

Started by ember1205, July 30, 2021, 07:26:01 PM

Previous topic - Next topic
Quick description of the setup: I have a server running on my internal network that I need to access from outside. I have configured port-forwarding and firewall rules to make this function correctly. The device is positioned on what can be thought of as "inside" (not a DMZ).

I have an additional need to be able to access this same server from other machines on my internal network but I have to access them using the externally-resolvable DNS FQDN for it. If I try to do this now, it fails because it is attempting to resolve to and connect to the WAN Interface Address of the firewall.

I need some help in understanding where there may be a missing rule or setting that will allow these connections to pass through correctly.

You can use NAT reflection (a.k.a. hairpin) to allow the traffic to go towards the WAN and back into the LAN, but it is not best practice. There is no need for the traffic to touch the firewall at all since it is between internal hosts. It adds to the load, increases latency and makes firewall packet captures harder.

If you can, set up split DNS: https://en.wikipedia.org/wiki/Split-horizon_DNS or use multicast DNS inside your network (a.k.a. Avahi, Bonjour, Zeroconf). Both provide a local solution for your name resolution.

If you do want to use it, check https://docs.opnsense.org/manual/nat.html look for NAT reflection

Bart...

@bartjsmit Correct, but split DNS is such a pain in the a... I'd rather use hairpin (and I do).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thanks for the replies.

I have tried the reflection component and it does not seem to work. I am able to access everything as expected from outside, but not inside.

I should also mention that I do understand there is no "need" for what I am asking based on basic usage principles, but this is kind of a unique situation where I actually do need it to work this way and this access happens infrequently and for a short period only during the middle of the night by an automated routine.

Do you need to have a externally-resolvable DNS because you are using signed certificates?  Trying to figure out if you could simple use a DNS override in your lookup table.

I ended up getting this to work via the refelection. I pulled out the handful of rules that I had in place, restarted everything, then re-added the rules and it began working correctly.