15.2. Why isn't it possible to access NATed services by the public IP address from LAN?

Problem. It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind SmallWall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

Reason. This is due to a limitation in ipfilter/ipnat (which are used in SmallWall). Read the ipfilter FAQ for details. SmallWall does not (and probably will not) include a "port reflection" utility.

Solution. If you use SmallWall's built-in DNS forwarder (or some other internal DNS, like Microsoft Active Directory) for your LAN clients, you can add one or more overrides so that they will get the internal (LAN) IP address of your server instead of the external one, while external clients still get the real/public IP address.

Note

This will only work if you use SmallWall as the primary DNS server on your LAN hosts. If you use another DNS server, you need to use its functionality to resolve that host to the appropriate private IP. See your DNS server documentation for more information.