So, I just realized that if i use my WAN IP in my browser from within my network, it brings me to my pfsense login page…
At first I panicked thinking this was also accessible externally, but luckily it is not.
I have rules in place to prevent devices from accessing the GUI unless they’re part of an alias, however if I access it in this way, it bypasses the check.
Why is my WAN IP resolving to my pfsense login?
Edit: As just about everyone has mentioned, this seems like NAT Reflection, however I have this disabled everywhere I’ve found. Here is the setting in System>>Advanced>>Firewall & NAT as well as in the individual NAT rules as seen here
Sounds like hairpin NAT. Don’t worry, the traffic never leaves your network
Thank you, that was the first thing I checked after having a near heart attack, haha. I thought the whole world could see my login for a second there.
This is known as NAT Hairpinning. When you use your wan IP from within your LAN, your router will route it back to LAN applying your port forwarding rules.
If you were to set a rule forwarding port 80 to something else, you’d get that instead of your pfsense interface (which your router hosts on port 80 but only listens to LAN IPs).
Gotcha, thanks so much (to you and the others who mentioned this as well). This has been driving me crazy the last couple hours, as I can connect to any of my VLANs (some which I treat as fairly insecure) and they can all hit my firewall if I use the WAN IP.
I checked Pfsense, and I have NAT Reflection disabled everywhere I found it (System>>Advanced>>Firewall & NAT as well as in my individual NAT rules), however I can still access via the WAN IP.
So I guess all I can really do is set a rule to forward to port 80/443 to something else to avoid this, right? I was thinking of hosting a Matrix chat server which would use those ports, so maybe that’s the play.
If you really want to, not really necessary though. You’ll still always be able to reach it using the router ip too. The routers interface only responds to LAN traffic and can’t actually be reached from WAN. This is pretty typical of most consumer networks.
Hm, currently I have PFsense and my other network equipment on it’s own “management” VLAN, and I don’t allow my other VLANs access to it (except for a couple devices I whitelist). None of those can reach PFsense via the LAN IP as I expect, only by the WAN IP.
Also if the pfsense router is where the WAN IP lives as might be the case in simpler setups where it is the wan router, it would just note that “hey thats me” and resolve unless there were specific rules preventing that traffic.
NAT reflection maybe?
Hm, my only NAT rule is to allow traffic to my game server on specific ports. Is there somewhere else that could be set? EDIT: I think you’re right.
