nat reflection..

Mystique_

I have an internal DOH server used for ~8k+ Chromebooks.

All was fine when they were out for COVID.. but as that has changed..

I'm using NAT reflection which seems to be a scalability problem as I do Manual Outbound NAT..

(https://github.com/0xERR0R/blocky fwiw)

the DOH is on an internal, clients are on an internal during the day.. external at night..

DOH does not do split horizon..

Pure Nat would be great, but the Manual Outbound NAT seems to be the problem..

Is there a way to get Pure Nat going?

Is there a way to get any tuning of NAT + Proxy?

Thanks in advance.

10.20.245.3 is pfsense 10.20.0.15 is the doh..

keyser

@mystique_ Perhaps you should look into setting up HA-Proxy on your pfSense as a reverse proxy for your DOH server? There is a HA-Proxy package for pfsense that is easily installed and configured.
Not only will that solve your need for NAT reflection, but it will also give you some added security options and flexibility when it comes to changes to/on your DOH server.

Mystique_

@keyser

Thank you for the suggestion.

I did not think about terminating the DOH on the router.

I use HA in house, so again, thank you for that. I do not think that my chosen DOH application supports the proxy protocol..

But that is then a different problem.. HA would change the first..

Thank you.