NAT Reflection Broken after Upgrade
-
Has anyone else tried to see if NAT reflection is working for them. It appears to be broken after the update from 2.1 to 2.1.1 and onto 2.1.2. I even went as far as doing a fresh install and recreated a configuration from scratch to see if it was just an upgrade that went wrong and I still have the same issue after a reinstall. Any help or feedback would be great.
Thanks,
MDP
-
Works just fine here on many boxes. You need to provide a whole lot more detail insight into what's broken and what's your configuration.
-
What appears to be broken is accessing internal services from internal clients. Services such as websites and mail services. You can access these services just fine if your on the outside of our network, but not from within. I can obviously get to the services via direct DNS host names. I have NAT + Proxy checked under System/Advanced/Firewall & NAT tab. The port forward rules I have are set to use the default policy with NAT + Proxy enabled, and I am not exceeding over 500 port forwards. Has something changed in this new version that I am over looking. I have never had an issue with NAT Reflection "EVER"! and I have been using it for about 8years now. I tried to reinstall and created my configuration from scratch with same result.
Is this clear enough or do you need more info. NAT Reflection is has always been straight forward, not sure what is going on.
Thanks
-
You have yet again rewritten "oh noes it does not work". I did not ask for definition of NAT reflection, but for details about what's exactly set up how and does not work. Also you have any good reason to use NAT + Proxy instead of Pure NAT?
-
A lot would like to have access to services from within the network. Thats why NAT reflection is important.
How would you use pure NAT to obtain the same?
-
How would you use pure NAT to obtain the same?
I guess we are not on the same page?
The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.
The pure NAT mode uses a set of NAT rules to direct packets to the target of the port forward. It has better scalability, but it must be possible to accurately determine the interface and gateway IP used for communication with the target at the time the rules are loaded. There are no inherent limits to the number of ports other than the limits of the protocols. All protocols available for port forwards are supported.
-
We are….thats why I am asking. You have to NAT outbound and then your packets are on the open internet....how does it come back not using the built in proxy??
-
We are….thats why I am asking. You have to NAT outbound and then your packets are on the open internet....how does it come back not using the built in proxy??
You make no sense. I can assure you I've been using NAT reflection in Pure NAT mode (which still is NAT reflection) with webservers and mailserver all the time, there is no need for the proxy helper in normal setups.
-
@doktor As I'm understanding your bold text passages, proxy is only needed if the interface and/or gateway isn't "up" or available at initial rules loading time (e.g. reboot/power up). So I assume that is the case with - for example - dial-up connections, as those have no GW or interface address available before dialed-in, but the rules are loaded prior to that, so have to be available. Thus the need for proxies. In a "normal" kind of network setup with static routes & IPs that's unnecessary. Do I assume right?
-
You have yet again rewritten "oh noes it does not work". I did not ask for definition of NAT reflection, but for details about what's exactly set up how and does not work. Also you have any good reason to use NAT + Proxy instead of Pure NAT?
I thought my last post was detailed enough. pfsense makes many things easy. I realize there is a lot going on behind the scenes, but it is just a simple drop down menu to enable it. Below is pfsense hint information for NAT Reflection and Pure NAT.
**"When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.
The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.
The pure NAT mode uses a set of NAT rules to direct packets to the target of the port forward. It has better scalability, but it must be possible to accurately determine the interface and gateway IP used for communication with the target at the time the rules are loaded. There are no inherent limits to the number of ports other than the limits of the protocols. All protocols available for port forwards are supported.
Individual rules may be configured to override this system setting on a per-rule basis."**