[SOLVED] NAT Reflection Troubles

doktornotor

No.

https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

johnpoz

Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

NOYB

That doc indicates it should work.
@article:

To fix this, edit the NAT Port Forward for the offending port, and change External Address to Interface Address instead of any.

NAT Port Forward is already configured to use the Interface Address instead of any.

The symptom outlined there is not what I'm experiencing.  I can browse to external web sites just fine.
@article:

When NAT Reflection is enabled, any connection made to an external web site comes up as the internal web site instead.

The symptom I'm experiencing is that when browsing to the internal hosted http (port 80) web site via it's FQDN it is redirected to https (port 443), so it hits the pfSense WebGUI configurator instead of being redirected to the internal LAN hosted web site.  Works fine though if the FQDN's IP address (WAN interface IP address) is used instead of the name.

NOYB

@johnpoz:

Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

Don't recall anyone saying that it's not.  But that is not the objective.  NAT Redirection for local hosted web server is the objective.

johnpoz

And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..

KOM

If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

NOYB

@KOM:

If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

Yes I agree that it should work with the FQDN too.  But for some reason it wasn't getting reflected and instead getting redirected to port 443.

Had changed the WebGUI port, but didn't seem to help.

Don't know what changed since, but now it is working.
Can access the local hosted web site via:

http(s)://FQDN
http(s)://WAN IP address

http(s)://Local Host Name
http(s)://LAN IP address

And browsing external internet works fine too.

NOYB

For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

Firewall:
NAT rule that forwards ports 80 and 443 to the local hosted web server.
If: WAN, Proto, TCP, Src. addr: *, Src. ports: *, Dest. addr: WAN address, Dest. ports: Web Ports, NAT IP: Web Server, NAT Ports: Web Ports

Firewall rule that passes ports 80 and 443 to the local hosted web server.
Proto, IPv4 TCP, Source: *, Port: *, Destination: Web Server, Port: Web Ports, Gateway: *, Queue: none

System - Admin Access:
Protocol: HTTPS
TCP Port: 443
WebGUI redirect: Disabled (box checked)
DNS Rebind Check: Enabled (box NOT checked)

System - Firewall / NAT:
Network Address Translation
NAT Reflection mode for port forwards: Enable (Pure NAT)
Reflection Timeout: (not specified)
Enable NAT Reflection for 1:1 NAT: Disabled (box NOT checked)
Enable automatic outbound NAT for Reflection: Enabled (box checked)
TFTP Proxy: (not specified)

With this configuration the local hosted web server can be accessed by it's FQDN, WAN IP address, Local Host Name, and LAN IP address.

Note: NAT Dest. addr set as "any" "*" will prevent internet browsing.

NOYB

Think I figured out what was causing the troubles.  Browser internal redirection of http to https.

Initially only port 80 was in the NAT rule.  So when the browser was internally redirecting to https there would not be any NAT reflection and the request would be serviced by the WegGUI on port 443.

captdragon

@NOYB:

For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

Glad you were able to get it working.

I have all my settings exactly like yours and I can't get it to work. Not sure what I'm missing and it's driving me crazy. It's definitely not the browser.

NOYB

pfSense WebGUI issues a one year Strict-Transport-Security header.  So if being directed to https://my_domain.com/ when trying to use http://my_domain.com/ that is a possible cause.

Strict Transport Security (HSTS)
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security