Virtual IP Addresses

Hey folks, hope everyone is having a good day :slight_smile:

I currently have a fibre network, and a CIDR address range of 8. Let’s say 10.0.0.5/29

I’m running pfsense, with the WAN setup on Static IPv4. The current configuration is setup as:

WAN GATEWAY:

Interface: WAN
Name: WANGW
Gateway: 10.0.0.5

WAN:

IPv4 Configuration Type: IPv4
IPv4 Address: 10.0.0.6/29
IPv4 Upstream gateway: WANGW - 10.0.0.5

I can then register virtual IPs and route each virtual IP’s traffic to different internal IPs (this enables me to accept multiple connections of port 80, 443 etc.)

So I have one virtual IP accepting connections on 443 for my vpn, then another virtual IP accepting connections for my home lab apps again on 443.

Issue that I’m having is that when on the internal network I cannot access any of my home lab apps without changing the hosts file to point to the internal IP.

I have setup the DNS Resolver, but this doesn’t work with a nested DHCP server I have attached to the main pfsense network.

For example:

pfsense DHCP / Network range:

192.168.0.1 → 192.168.0.200
The home lab docker server gets an IP address from here
The TP-Link router below also gets an IP address from this range

TP-Link router connected to the pfsense (for local devices):

172.0.0.1 → 172.0.0.50
All desktop and wireless devices sit on this network

So the external IP address on all networks reports back as 10.0.0.6, even from the devices on the TP-Link network (typing ‘what is my IP address’ into google for example)

Is there a way to utilize the Virtual IPs in a way so that the external IP address of the TP-Link devices are on a different virtual IP, with the aim of removing the need for the DNS resolver, or changing the hosts file?

Thanks in advanced :slight_smile:

Edit:
The message I see when trying to view a domain name on anything on the TP-Link network is:
“Potential DNS Rebind attack detected, see DNS rebinding - Wikipedia
Try accessing the router by IP address instead of by hostname.”

You want to read this:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

or, TLDR:

Navigate to System > Advanced, Firewall & NAT tab

Configure the following options in the Network Address Translation section of the page:

NAT Reflection mode for port forwards
Pure NAT

Pure NAT mode is the best choice if NAT reflection must be activated, but it may not work for all scenarios. See NAT Reflection mode for Port Forwards for details on each of the NAT reflection modes.

Enable NAT Reflection for 1:1 NAT
Checked

Enable automatic outbound NAT for Reflection
Checked

Click Save

I have enabled these settings.

I assume I need to add entries to the Firewall > NAT > 1:1 list for this to work?

Saving the settings above with having no entries in the 1:1 no longer shows the warning, but it now shows that the site cannot be reached.

I am not able to understand how your network is set up from your description.
How many DHCP servers are you running?
Are you using PFSense as your DNS for internal hosts?

Here’s an example overview:

External IP 123.0.0.5

pfsense is the main router connecting to the internet. This is configured with a DNS Resolver, and also a DHCP Server. This is connecting to a switch.

The pfsense DHCP server has the IP address of 192.168.0.1

My docker home lab is connected to the switch, and is set to a static IP address of 192.168.0.50

A TP-Link omada setup is also plugged into the switch. An Edge device, with TP-Link switches. The Edge device WAN is set to be DHCP coming from the pfsense.

This was done due to the TP-Link network not being able to handle virtual IP addresses, so the pfsense device was place in between.

The TP-Link network then has its own DHCP server that hands out 172.0.0.1 addresses.

If you use a client in the PFSENSE LAN (so with address 192.168.0.x) is it able to access the port-forwarder service using the proper dns name?