Access Virtual Server from LAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Access Virtual Server from LAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Access Virtual Server from LAN
Access Virtual Server from LAN
2019-07-15 15:09:01 - last edited 2021-04-19 12:04:52
Model: TL-ER6020  
Hardware Version: V2
Firmware Version: 2.0.2

Trying to set up a virtual server. When configured via Transmission->NAT->Virtual Servers, I can access the server from any *REMOTE* IP Address, but cannot access from any *LAN* IP Address.

 

For this example, I'm using DNS, but the story is the same for other services.

 

When accessing from WAN, I see a normal NAT communication with the host being me (external) and the server being the internal IP address:

 

 

But when local, I see something very strange. A packet capture on the server shows a request from itself to the WAN IP, obviously with no response:

 

 

Is there another setting I need to make to enable LAN clients to access Virtual Servers too?

 

  0      
  0      
#1
Options
4 Reply
Re:Access Virtual Server from LAN
2019-07-16 08:52:38 - last edited 2021-04-19 12:04:52

When you access your server from LAN IP, why don't you access the private network IP address of the server directly? 

If you must access the server thorugh WAN IP, suggest to contact TP-LINK SUPPORT for help. This issue should be related to the NAT loopback for virtual server.

  0  
  0  
#2
Options
Re:Re:Access Virtual Server from LAN
2019-07-16 13:24:03 - last edited 2021-04-19 12:04:52

That's a great question! Let me add a little commentary fully explaining *why* I am attempting to do this.

 

Behind the scenes is a mesh network of EAP225 that are configured with multiple SSID. I have two of the SSID set to "Guest" mode, which blocks traffic to any RFC1918 ip range (10.0.0.0/8, 172.168.0.0/12, and 192.168.0.0/16). Of course, like everyone, my internal network uses one of these.

 

In my network, I am required to host my own DNS -- multiple reasons, but let's let that stand on its own. So if my DNS server were, say 192.168.0.1, then the PCs on any of the "Guest" networks could not access the DNS server to resolve queries. There does not seem to be any workaround for this in the Omada configuration.

 

So, my next thought was that since I do have a static IP, why not simply use the public ip for DNS resolution and hosting any other internal services? Then I get exactly what I want:

 

  • The "Guest" networks cannot access any internal site unless I explicitely allow it.
  • The Guest network still can access *some* internal sites that I explicitely allow.

 

So I added a virtual server for port 53, pointing to my internal DNS server. Externally, I can resolve the queries, but internally, I cannot.

 

-BlackOak

  0  
  0  
#3
Options
Re:Re:Re:Access Virtual Server from LAN
2019-07-17 10:40:24 - last edited 2021-04-19 12:04:52

I used the below firmware and everything worked fine. You can have a try.

 

https://we.tl/t-ZNMLjJdP3r

  0  
  0  
#4
Options
Re:Re:Re:Re:Access Virtual Server from LAN
2019-07-17 13:53:20 - last edited 2021-04-19 12:04:52

For obvious reasons, I am a bit hesitent to use firmware from a random friend online in my environment :-)

 

While attempting to locate an "official" version, I stumbled accross this:

 

https://community.tp-link.com/en/business/forum/topic/150305?page=1&t=2019%2F02%2F03%2011%3A33%3A01%20%2B0000

 

It seems this BETA version was specifically released to address my specific problem.

 

Thanks, Andone! You helped me resolve tthie issue.

  0  
  0  
#5
Options