Why is NAT Reflection not a good thing?

dcol

Hi All,
I have been fighting with DNS Resolver ever since I was talked into switching from NAT Reflection to DNS Resolver with host overrides.
With DNS Resolver I have local issues passing URL's to local servers

As an example, with DNS Resolver, www.xyz.com:xxxx passes all ports to the same IP. I need to direct to the correct IP depending on the port number. With DNS resolver everything is passed to the same IP. NAT Reflection worked flawlessly.

I have to use a domain address and not an IP in the URL because the sites are https with a certificate. Using an IP in the URL does not work.

So the big question is what is so bad about NAT Reflection that I have to give up access to local servers from local networks? What security risks am I taking using NAT Reflection? Maybe the risks do not affect me. If it is a performance issue with NAT Reflection, then I am not concerned since my activity is low.

If I should not use NAT Reflection then what are my alternatives? DNS Resolver Host Overrides doesn't work for me.

From outside the local network all works great since I use port forwards to direct the incoming ports to the correct server. I can't do that locally between interfaces using Host Overrides.

Is it possible to setup port forward rules to direct LAN traffic based on the port to the correct internal IP? Maybe setup a phantom IP that Host Overrides points to and then use port forwarding to redirect that IP to the correct internal IP based on the port number. Would that work?

doktornotor

Oh noes, no phantom hacks, please. What you really need on WAN side is SNI and reverse proxy for stuff like HTTP/HTTPS. (Can be done LAN side as well, of course, but just pointless - since, after that, you might fix the broken design that's pointing one FQDN to tons of different places depending on port. One machine, one hostname. Using the proper port, like 443 for HTTPS.

dcol

doktornotor, please do not question a design you know nothing about. Just shows ignorance. Let someone else help me. Every time you answer my questions it is accusatory and rude. If you can't help and be civil then don't respond.

Everything works perfectly from remote clients. HTTPS is used to invoke the certificate. All servers are setup to use HTTPS on the alternate ports which must all be addressed via the one URL. Yes I can get to any server using the IP, but with certificate errors. Nowhere is it written in stone that one must use port 443 when using a secured link.

Please, all I want to know is what are the downsides to using NAT Reflection, which works. if PFsense isn't capable of handling this, then I will just use NAT Reflection. Just looking for answers on why to not use NAT Reflection or if there any alternative solutions to using port forward locally to the LAN interface. I also simply wanted know if it is possible to port forward from the LAN side.

jahonix

NAT itself is a hack and NAT reflections not less.

@dcol:

if there any alternative solutions to using port forward locally to the LAN interface.

You got the answer already.
Have you actually looked up SNI? And reverse proxies are available as pfSense packages as well. That would be a straight forward approach working from everywhere you need it to.

Is it easier to complain about the perceived tone of a post than doing your homework with the infos already given?  :-[

doktornotor

@dcol:

doktornotor, please do not question a design you know nothing about.
…
if PFsense isn't capable of handling this, then I will just use NAT Reflection.

Dude, it isn't pfSense issue. It's how DNS works! SRV is the only type of records that do care about ports in DNS. Your browsers (and really vast majority of other things) do not give a damn about SRV records, not implemented. So yeah, I do question the sort of design which is broken – uhm, by design (pun intended).

Sorry to have disturbed your circles...

johnpoz

QFT:

Is it easier to complain about the perceived tone of a post than doing your homework with the infos already given?  :-[
[/quote]

Nicely Said!!  I will have to use that myself ;)  Might even make a great signature…

edit:  If dok would of left off..
"Oh noes, no phantom hacks, please. "

Would you have read his post differently for the correct and good information it contains?  But since he makes a comment that reflects his more than likely frustration with the same sort of nonsense question and statements that just make make anyone in the field cringe..  Which has been posted about over and over and over again time and time again and again and again..

Maybe how you should take that sort of post is oh dok thinks its stupid.. So wow maybe I should rethink this..  Thanks dok!!!

dcol

Still no answer to the base question "Why is NAT Resolution not recommended".

SLI is not the answer since it doesn't address local port forwards. Forget about the HTTPS. Even with that aside, I still do not know how to locally direct multiple ports to different IP's in PFsense. I use port forwards for external redirection, but that does not work on the internal LAN interface.
The certificate is used by the receiving software for messages. Which is why I need to use the certificates FQDN and not an IP.

I am not the one who laid blame on "bad design" which was pure ignorance. Frankly that is an insult and I take pause with that. I may not be a PFsense expert, but I have computer degrees and credentials that go back 35 years.

doktornotor

@dcol:

Even with that aside, I still do not know how to locally direct multiple ports to different IP's in PFsense. I use port forwards for external redirection, but that does not work on the internal LAN interface.

Yes, they do NOT work, because the communication on the same subnet does NOT go over the firewall, at all. Switch sends it directly to destination. Networking basics 101. To make it go through the firewall, the DNS would need to point to LAN interface on the firewall.

Your design is patently broken.

kpa

One very definite objection to NAT reflection is that it makes traffic that was never meant for the router/firewall in the first place to traverse it, every single packet of the redirected traffic. This may be a major performance issue depending on the set up. With split DNS this is never an issue because the local traffic stays local.

KOM

"Why is NAT Resolution not recommended"

Because it's a sub-optimal hack that sometimes breaks some network apps in certain edge cases.  If it works for you then use it if it solves your problem.

Frankly that is an insult and I take pause with that.

Saying you have a broken design is not an insult.  It is saying that you or someone else made a mistake, nothing more.  It isn't personal and you shouldn't take it that way.

but I have computer degrees and credentials that go back 35 years.

Good for you.  Same here, but I don't consider myself an expert on everything technical or computer-related.  For instance, most software developers I know wouldn't know a network if a switch fell and hit them in the head.  I help out here a lot, but I'm weak on IPv6 and VLANs and I know it.

The old-timers here really know their stuff, so you can take what they say and accept it even if it bruises your ego a little bit.

dcol

I think I may have explained my situation incorrectly. Sorry if that set anyone off and thanks for clarifying NAT Reflection.

I want the LAN subnet to be port forwarded to another interface, not on the same interface/subnet. I know that cannot work.

The local LAN is on subnet 192.168.1.0/24 - sent to a switch with 16 ports/users
The server is on interface OPT2 subnet 192.168.20.0/24 without a switch. Direct connection from OPT2 to the server. The server has 3 IP's on the NIC. 192.168.20.2/3/4. Each program on the server is bound to an internal IP on that server listening on a different port. When traffic comes from the WAN it is port forward to the correct IP. Local LAN users get directed to the one IP assigned to the DNS from the URL. I need the local users to get to the same IP's as external users.

Now, as an example, I want to port forward all local LAN traffic from 192.168.1.xxx port 9999 to 192.168.20.2, port 8888 to 192.168.20.3, and port 7777 to 192.168.20.3.

Do I just setup additional rules in port forwarding specifying the LAN as the incoming? Or is there a better method?

If this is a design problem, please explain.

doktornotor

@dcol:

Now, as an example, I want to port forward all local LAN traffic from 192.168.1.xxx port 9999 to 192.168.20.2, port 8888 to 192.168.20.3, and port 7777 to 192.168.20.3.

… instead of having to do nothing at all, because it'd be routed just fine by default between interfaces. And you still do not understand why your design is broken? Why are you spreading the single WAN IP limitations across your entire network? How on earth does this make any sense whatsoever?

dcol

How is the design broken unless you mean the way I have configured PFsense which is why I am asking these questions. My setup is a simple and common one. I have a local LAN interface on 192.168.1.0/24 and one server on OPT2 with a subnet of 192.168.20.0/24.

Now, If I do a request externally to www.xyz.com:9999, traffic is forward to 192.168.20.2, www.xyz.com:8888 is forward to 192.168.20.3, and www.xyz.com:7777 is forward to 192.168.20.4. Right now, the way it is configured, from the local LAN, all www.xyz.com:xxxx traffic goes to 192.168.20.2 regardless of the port # because the port forward rules only are looking at the external NAT IP. DNS Resolver host override has www.xyz.com pointing to 192.168.20.2. If I do not use host overrides, I cannot resolve www.xyz.com locally at all.

The server I want to locally forward to is NOT on the same subnet or switch as the local LAN interface.

I just want the local LAN to go to the same IP's as the external traffic. With NAT Reflection it works fine. All I want to know is if this can be done, if not I will go back to NAT Reflection. Maybe PFsense is suppose to do this using the default routing, but it doesn't.

I will post screenshots if anyone needs them to see what I setup.

doktornotor

pfSense does routing, yeah. And DNS (except SRV records) does NOT do ports, as already explained.

192.168.20.2 - foo.example.com
192.168.20.3 - bar.example.com
192.168.20.4 - baz.example.com

Will be routed just fine, traffic to every single port will be routed just fine for each of those. No need for NAT, port forwarding, NAT reflection and similar idiocy. You do not call 3 different machines the same, would seem highly obvious. It's broken even on WAN. Use CNAMEs pointing to www.example.com A record.

So yeah, go back to NAT reflection, because this is going nowhere.

dcol

A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override.  I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.

NOYB

@dcol:

A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override.  I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.

And why would you when there is a viable solution already?  If it works and serves your purpose and needs then it is not broke.  As with most things there is more than one way to accomplish something.  Some are better than others in one way or another but also may have other undesirable liabilities.  Like cost.  Sometimes the "better" way is overkill for the situation/environment etc.  There are considerations that make NAT reflection the "better" solution for situations.  "Hair pinning" is not a significant concern, and performance is not a significant requirement, in some cases.  And NAT reflection works just fine.  Labeling it a "hack" is just emotional response that doesn't really matter.

Design your infrastructure to meet your needs/requirements.  That includes cost and practicality for what it needs to support, etc.  Split DNS and NAT reflection are both viable designs.  Use them as needed to meet your needs.

https://forum.pfsense.org/index.php?topic=122088.msg674603#msg674603

dcol

Thanks, I think I will go back to NAT Reflection instead of spending money on multiple EV Certificates. A shame I can't get a wildcard EV cert.

NOYB

@dcol:

A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override.  I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.

@dcol:

Thanks, I think I will go back to NAT Reflection instead of spending money on multiple EV Certificates. A shame I can't get a wildcard EV cert.

If SAN (Subject Alterative Names) will work for you instead of a wildcard, that may be an option for your EV cert.

jahonix

@dcol:

I think I will go back to NAT Reflection

Pardon my ignorance, we already learned that your servers are on a different subnet than your LAN.
It isn't NAT reflections then but simple port forwards, is it?
AFAIK a reflection only goes back to the same subnet.

dcol

Yeah, looked into the SAN EV but the cost is even higher. That is the best solution but I previously disregarded it because of the expense. Wanted to see if there was something I could do within PFsense. That answer seems to be stay with NAT Reflection until December when the EV cert expires then get the multi-domain SAN cert