Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT reflection to replace splict DNS as solution to reach my own public servers from the LAN

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 450 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis2
      last edited by

      Up to now I am using a Split DNS solution to reach my e.g. my public web server from the internal LAN.

      However since DNS query's are more and more hidden in HTTPS, Split DNS solutions do not work any longer. So I need a different solution, which might simplify things as well.

      What I would like to archive, is that if a destination IP equals my IPV4 Address (and maybe also one of my public IPV6-addresses), the internal generated traffic seems to be arriving from the internet.

      I think a behavoir like this should be possible using:
      option: System > Advanced on the Firewall & NAT Enable automatic outbound NAT for Reflection
      I combination with some rules in "Firewall NAT1:1"

      The intention is that the FW threads the traffic completely like external traffic. Not completely true of course since routing should be from an to the internal device.

      Has some one experiences with such a setup?
      And what settings are exactly used?

      S V 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @louis2
        last edited by

        @louis2 enable that one setting but you don’t need 1:1. 1:1 is to forward all ports on the router and useful for a second public IP address and server or DMZ. Just enable reflection on the NAT rule for port 443.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        L 1 Reply Last reply Reply Quote 0
        • L
          louis2 @SteveITS
          last edited by

          @SteveITS

          Steve,

          there are multiple ports involved.

          • there is also an sftp-server
          • mails server
          • etc
            The number of ports is limmited

          When a packet is arriving via the WAN, the WAN has a couple of rules to allow / to block / to NAT.
          I am also using HA-proxy (for a limmited no of ports, my original idea was to use HA-proxy for all involved ports, but that does not work I know now).

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @louis2
            last edited by

            @louis2 said in 1:1 NAT reflection to replace splict DNS as solution to reach my own public servers from the LAN:

            However since DNS query's are more and more hidden in HTTPS, Split DNS solutions do not work any longer. So I need a different solution, which might simplify things as well.

            You should better care, that the local devices use your local DNS instead.
            Normally you can configure web browsers to not use DoH, but the system DNS resolver.
            And for the hard cores, there are lists with DoH servers in the internet, which you can use to block it.

            option: System > Advanced on the Firewall & NAT Enable automatic outbound NAT for Reflection
            I combination with some rules in "Firewall NAT1:1"

            This should also enable internal devices accessing your public IPs without additional NAT rules.
            But remember, this is only NAT as well.

            When a packet is arriving via the WAN, the WAN has a couple of rules to allow / to block / to NAT.

            When using NAT 1:1, you have to additionally configure the necessary firewall rules on WAN and on the internal interface. The NAT rules don't pass any traffic on their own.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.