1:1 Nat routing back to firewall

trever · May 9, 2022, 2:44 PM

I have a LAN and a WAN. I have a block of IP's from my ISP. I have setup virtual IP's and enabled 1:1 NAT. Everything works fine externally. However, computers on my LAN are being redirected back to the firewall itself. So if I try to ssh to one of the hosts from internally it ends up going to the firewall itself and not the machine that the VIP and 1:1 NAT points to. So I end up sshing to the firewall itself and not the server I am trying to get to. As I said all works fine from outside of my network. This is also a mail server so I am unable to connect with the mail client because it is ending up at the firewall and not the host specified in the 1:1 NAT configuration.

viragomann · May 9, 2022, 3:19 PM

@trever
Add DNS host overrides for the host names you want to access and point them to the proper internal destination IPs.

trever · May 9, 2022, 3:21 PM

@viragomann That did not help either. It is still ending up at the firewall itself.

viragomann · May 9, 2022, 3:23 PM

@trever
Consider to clear the DNS cache on the client.

trever · May 9, 2022, 3:33 PM

I have tried that as well. If I ssh to the external ip I end up at the firewall. If I ssh to the internal IP I get to the server I am trying to get to. So it appears to be an issue at the firewall and not in DNS.

SteveITS · May 9, 2022, 4:38 PM

@trever On the 1:1 NAT entry settings page, is "NAT reflection" enabled?

trever · May 9, 2022, 4:39 PM

@steveits It is set to Use System Default

SteveITS · May 9, 2022, 4:46 PM

@trever And in System/Advanced/Firewall & NAT, is reflection enabled? Enabling it there enables it for all NAT rules.

Reflection allows using NAT forwards from LAN.

See the note towards the end of this section:
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#configuring-1-1-nat

trever · May 9, 2022, 4:49 PM

@steveits Neither of these options are checked.

Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection

viragomann · May 9, 2022, 7:16 PM

@trever said in 1:1 Nat routing back to firewall:

If I ssh to the external ip I end up at the firewall.

I see, so that has neither to do anything with DNS host overrides nor with NAT reflection.
When you ssh to an public IP and get to pfSense, the only reason I can think of is that the packets are redirected somehow.
Are there any port forwarding on the internal interface?

SteveITS · May 9, 2022, 8:43 PM

@viragomann But he's trying to access the WAN IP from LAN. That seems to me like it needs reflection to work. NAT rules on WAN would only apply to packets arriving from the Internet.

viragomann · May 10, 2022, 5:40 AM

@steveits said in 1:1 Nat routing back to firewall:

But he's trying to access the WAN IP from LAN. That seems to me like it needs reflection to work.

Yes, you're right. I didn't read correctly.

@trever
But why are you using the external IP for accessing an internal device? The suggested way is to access it using an FQDN together with internal DNS host overrides. So from within your network the FQDN is resolved to the internal IP and accessing it should be work without NAT reflection.