I have a pfSense firewall running in a pretty standard configuration, 1 WAN, 1 LAN. On both sides of the pfsense I'd like to make available a service via DNS name, lets say "service.domain.com".
For WAN the DNS entry points to the WAN IP address of the pfsense, and I have already set up a working split DNS configuration for the LAN, so devices are redirected to the LAN IP of the service.
On the WAN-side, there is a port-forwarding from 443 TCP to port 444 TCP on the target server, so the service runs on a non HTTPS port (which is already in use). The trouble starts, when I try to mirror this configuration for the LAN side of the pfSense. I have added a virtual IP on the pfSense, exclusively for split DNS configuration.
What I have tried so far:
Configured a portforwarding rule on LAN side (new virtual IP 443 TCP –> target server 444 TCP). Traffic goes to the target server on the correct port and leaves the server to the correct destination (verified via tcpdump and Microsoft Netmon). The client times out (telnet, openssl for testing).
My guess is, that the client recieves the traffic, but discards it, because it cannot associate it with a established connection.
Another test was a 1:1 NAT, but within this 1:1 NAT I can not change the destination port, which I need to do in this configuration.
What would be the best way to accomplish this "internal port forwarding"?
Thanks!
Best Answer
I ended up adding a manual outbound NAT rule in the firewall:
The service works now with split-brain DNS and internal port forwarding.