Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] NAT Reflection Troubles

    Scheduled Pinned Locked Moved NAT
    14 Posts 5 Posters 25.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      Local (LAN) Client
      http://web_server_local_ip_address/ works fine
      http://wan_ip_address/ works fine

      http://web_server_domain_name/ redirects to port 443 (pfSense WebGUI Configurator)
      (works from external (WAN) client)

      local http to pfSense does not redirect to https - as expected

      What am I missing?

      pfSense Settings:

      Port 80 NAT and Firewall Rule that redirects to the web server.

      System - Admin Access:
      HTTPS selected
      TCP Port 443
      Disable webConfigurator redirect rule checked
      Disable DNS Rebinding Checks checked

      System - Firewall / NAT:
      Enable (Pure NAT) NAT Reflection Mode
      Enable 1:1 NAT Reflection
      Enable Auto OutBound NAT Reflection

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
        https://forum.pfsense.org/index.php?action=search

        Not even funny any more. Get proper DNS records and stop using this nonsense.

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          Already read that, and not interested in doing split DNS right now.

          Shouldn't NAT reflection be functional for this use case?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            No.

            https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

              Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                That doc indicates it should work.
                @article:

                To fix this, edit the NAT Port Forward for the offending port, and change External Address to Interface Address instead of any.

                NAT Port Forward is already configured to use the Interface Address instead of any.

                The symptom outlined there is not what I'm experiencing.  I can browse to external web sites just fine.
                @article:

                When NAT Reflection is enabled, any connection made to an external web site comes up as the internal web site instead.

                The symptom I'm experiencing is that when browsing to the internal hosted http (port 80) web site via it's FQDN it is redirected to https (port 443), so it hits the pfSense WebGUI configurator instead of being redirected to the internal LAN hosted web site.  Works fine though if the FQDN's IP address (WAN interface IP address) is used instead of the name.

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by

                  @johnpoz:

                  Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

                  Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

                  Don't recall anyone saying that it's not.  But that is not the objective.  NAT Redirection for local hosted web server is the objective.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by

                        @KOM:

                        If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

                        Yes I agree that it should work with the FQDN too.  But for some reason it wasn't getting reflected and instead getting redirected to port 443.

                        Had changed the WebGUI port, but didn't seem to help.

                        Don't know what changed since, but now it is working.
                        Can access the local hosted web site via:

                        http(s)://FQDN
                        http(s)://WAN IP address

                        http(s)://Local Host Name
                        http(s)://LAN IP address

                        And browsing external internet works fine too.

                        1 Reply Last reply Reply Quote 0
                        • N
                          NOYB
                          last edited by

                          For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

                          Firewall:
                          NAT rule that forwards ports 80 and 443 to the local hosted web server.
                          If: WAN, Proto, TCP, Src. addr: *, Src. ports: *, Dest. addr: WAN address, Dest. ports: Web Ports, NAT IP: Web Server, NAT Ports: Web Ports

                          Firewall rule that passes ports 80 and 443 to the local hosted web server.
                          Proto, IPv4 TCP, Source: *, Port: *, Destination: Web Server, Port: Web Ports, Gateway: *, Queue: none

                          System - Admin Access:
                          Protocol: HTTPS
                          TCP Port: 443
                          WebGUI redirect: Disabled (box checked)
                          DNS Rebind Check: Enabled (box NOT checked)

                          System - Firewall / NAT:
                          Network Address Translation
                          NAT Reflection mode for port forwards: Enable (Pure NAT)
                          Reflection Timeout: (not specified)
                          Enable NAT Reflection for 1:1 NAT: Disabled (box NOT checked)
                          Enable automatic outbound NAT for Reflection: Enabled (box checked)
                          TFTP Proxy: (not specified)

                          With this configuration the local hosted web server can be accessed by it's FQDN, WAN IP address, Local Host Name, and LAN IP address.

                          Note: NAT Dest. addr set as "any" "*" will prevent internet browsing.

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOYB
                            last edited by

                            Think I figured out what was causing the troubles.  Browser internal redirection of http to https.

                            Initially only port 80 was in the NAT rule.  So when the browser was internally redirecting to https there would not be any NAT reflection and the request would be serviced by the WegGUI on port 443.

                            1 Reply Last reply Reply Quote 0
                            • C
                              captdragon
                              last edited by

                              @NOYB:

                              For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

                              Glad you were able to get it working.

                              I have all my settings exactly like yours and I can't get it to work. Not sure what I'm missing and it's driving me crazy. It's definitely not the browser.

                              1 Reply Last reply Reply Quote 0
                              • N
                                NOYB
                                last edited by

                                pfSense WebGUI issues a one year Strict-Transport-Security header.  So if being directed to https://my_domain.com/ when trying to use http://my_domain.com/ that is a possible cause.

                                Strict Transport Security (HSTS)
                                https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.