Why is NAT Reflection not a good thing?
-
One very definite objection to NAT reflection is that it makes traffic that was never meant for the router/firewall in the first place to traverse it, every single packet of the redirected traffic. This may be a major performance issue depending on the set up. With split DNS this is never an issue because the local traffic stays local.
-
"Why is NAT Resolution not recommended"
Because it's a sub-optimal hack that sometimes breaks some network apps in certain edge cases. If it works for you then use it if it solves your problem.
Frankly that is an insult and I take pause with that.
Saying you have a broken design is not an insult. It is saying that you or someone else made a mistake, nothing more. It isn't personal and you shouldn't take it that way.
but I have computer degrees and credentials that go back 35 years.
Good for you. Same here, but I don't consider myself an expert on everything technical or computer-related. For instance, most software developers I know wouldn't know a network if a switch fell and hit them in the head. I help out here a lot, but I'm weak on IPv6 and VLANs and I know it.
The old-timers here really know their stuff, so you can take what they say and accept it even if it bruises your ego a little bit.
-
I think I may have explained my situation incorrectly. Sorry if that set anyone off and thanks for clarifying NAT Reflection.
I want the LAN subnet to be port forwarded to another interface, not on the same interface/subnet. I know that cannot work.
The local LAN is on subnet 192.168.1.0/24 - sent to a switch with 16 ports/users
The server is on interface OPT2 subnet 192.168.20.0/24 without a switch. Direct connection from OPT2 to the server. The server has 3 IP's on the NIC. 192.168.20.2/3/4. Each program on the server is bound to an internal IP on that server listening on a different port. When traffic comes from the WAN it is port forward to the correct IP. Local LAN users get directed to the one IP assigned to the DNS from the URL. I need the local users to get to the same IP's as external users.Now, as an example, I want to port forward all local LAN traffic from 192.168.1.xxx port 9999 to 192.168.20.2, port 8888 to 192.168.20.3, and port 7777 to 192.168.20.3.
Do I just setup additional rules in port forwarding specifying the LAN as the incoming? Or is there a better method?
If this is a design problem, please explain.
-
Now, as an example, I want to port forward all local LAN traffic from 192.168.1.xxx port 9999 to 192.168.20.2, port 8888 to 192.168.20.3, and port 7777 to 192.168.20.3.
… instead of having to do nothing at all, because it'd be routed just fine by default between interfaces. And you still do not understand why your design is broken? Why are you spreading the single WAN IP limitations across your entire network? How on earth does this make any sense whatsoever?
-
How is the design broken unless you mean the way I have configured PFsense which is why I am asking these questions. My setup is a simple and common one. I have a local LAN interface on 192.168.1.0/24 and one server on OPT2 with a subnet of 192.168.20.0/24.
Now, If I do a request externally to www.xyz.com:9999, traffic is forward to 192.168.20.2, www.xyz.com:8888 is forward to 192.168.20.3, and www.xyz.com:7777 is forward to 192.168.20.4. Right now, the way it is configured, from the local LAN, all www.xyz.com:xxxx traffic goes to 192.168.20.2 regardless of the port # because the port forward rules only are looking at the external NAT IP. DNS Resolver host override has www.xyz.com pointing to 192.168.20.2. If I do not use host overrides, I cannot resolve www.xyz.com locally at all.
The server I want to locally forward to is NOT on the same subnet or switch as the local LAN interface.
I just want the local LAN to go to the same IP's as the external traffic. With NAT Reflection it works fine. All I want to know is if this can be done, if not I will go back to NAT Reflection. Maybe PFsense is suppose to do this using the default routing, but it doesn't.
I will post screenshots if anyone needs them to see what I setup.
-
pfSense does routing, yeah. And DNS (except SRV records) does NOT do ports, as already explained.
192.168.20.2 - foo.example.com
192.168.20.3 - bar.example.com
192.168.20.4 - baz.example.comWill be routed just fine, traffic to every single port will be routed just fine for each of those. No need for NAT, port forwarding, NAT reflection and similar idiocy. You do not call 3 different machines the same, would seem highly obvious. It's broken even on WAN. Use CNAMEs pointing to www.example.com A record.
So yeah, go back to NAT reflection, because this is going nowhere.
-
A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override. I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.
-
A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override. I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.
And why would you when there is a viable solution already? If it works and serves your purpose and needs then it is not broke. As with most things there is more than one way to accomplish something. Some are better than others in one way or another but also may have other undesirable liabilities. Like cost. Sometimes the "better" way is overkill for the situation/environment etc. There are considerations that make NAT reflection the "better" solution for situations. "Hair pinning" is not a significant concern, and performance is not a significant requirement, in some cases. And NAT reflection works just fine. Labeling it a "hack" is just emotional response that doesn't really matter.
Design your infrastructure to meet your needs/requirements. That includes cost and practicality for what it needs to support, etc. Split DNS and NAT reflection are both viable designs. Use them as needed to meet your needs.
https://forum.pfsense.org/index.php?topic=122088.msg674603#msg674603
-
Thanks, I think I will go back to NAT Reflection instead of spending money on multiple EV Certificates. A shame I can't get a wildcard EV cert.
-
A nice flatly laid out example, thank you. Then I can just use the correct subdomain in the host override. I can do that, just means I will have to buy more EV certs. Didn't want to go through that expense.
Thanks, I think I will go back to NAT Reflection instead of spending money on multiple EV Certificates. A shame I can't get a wildcard EV cert.
If SAN (Subject Alterative Names) will work for you instead of a wildcard, that may be an option for your EV cert.
-
I think I will go back to NAT Reflection
Pardon my ignorance, we already learned that your servers are on a different subnet than your LAN.
It isn't NAT reflections then but simple port forwards, is it?
AFAIK a reflection only goes back to the same subnet. -
Yeah, looked into the SAN EV but the cost is even higher. That is the best solution but I previously disregarded it because of the expense. Wanted to see if there was something I could do within PFsense. That answer seems to be stay with NAT Reflection until December when the EV cert expires then get the multi-domain SAN cert
-
jahonix,
I thought so too, but no one mentioned port forwards would work with the the LAN interface when WAN port forwards already exist. Some people on this forum seem hard fast in their own design principals than coming up with answers to special situations. Sometimes we need to look outside the box.Let me re-ask this way.
Can I also port forward LAN requests to specific IP's based on the port number by specifying the LAN as the interface and destination? These ports are all uncommon port numbers not used by anything else.
Thanks for your response. This question I think got way deeper than it should have. My fault, but it got me here to ask the right question.
-
Ok I am confused on what the actual goal is here.
So you have some server that sits on a network segment behind pfsense. Lets call it 192.168.2.100..
Now you access this via some fqdn on the public internet.. lets call it www.yourdomain.com which points to your public IP that sits on pfsense wan interface.
And you have some services running on the non standard http/https ports? So Im on the public internet I hit https://www.yourdomain.com:8888 for example.. You forward this to your server 192.168.2.100
You have a ssl cert on this box that is trusted by the public since it is signed by a public CA..
So now your question is how does a box on one of your other networks, lets say clientA at 192.168.1.45 wants to go to this box and name needs to match so you cert is trusted right??
Why do port forwards come into play?? Just create a host override in your dns that points www.yourdomain.com to 192.168.2.100, and allow your devices on lan to go to 192.168.2.100 on whatever ports they might be using. So your clientA just uses the same https://www.yourdomain.com:8888 url..
I am not seeing how this is a problem?? Or has anything to do with port forwarding, nat or or nat reflection, etc.
This box at 192.168.2.100 can serve up all kinds of different site on different ports 3000, 8080, 8443, etc.. that has nothing to do with its name. Its name would always be www.yourdomain.com or whatever other names you have certs for. Your url would just reflect the port ie https://www.yourdomain.com:8443 or :9999 etc..
-
johnpoz: Really simple what's the problem. He's trying to use one hostname for multiple services on multiple machines. It's like trying to use example.com for SMTP, WWW, FTP and god knows what. Just one level up (www.example.com). That obviously does not work well neither from WAN, nor from LAN.
-
Johnpoz,
On the public internet,
if someone requests https://www.yourdomain.com:9999 it goes to 192.168.20.2
if someone requests https://www.yourdomain.com:8888 it goes to 192.168.20.3
if someone requests https://www.yourdomain.com:7777 it goes to 192.168.20.4
Port forwards handle this via the public internet. Locally on the LAN all requests goto 192.168.20.2 regardless of the port number because port forwards only redirect the public internet and DNS controls the local resolution.This is why my question was, can I setup 2 LAN port forwards as well to direct these ports 8888 and 7777 to go to the correct IP?
All I need to know is will this work? If not then I will go back to NAT Reflection until my cert expires in December. I have no choice because I have one EV cert with one FQDN. I cannot use sub-domains at this time, SSL will fail on those.
-
No you cannot, because the traffic will never hit the firewall if it resolves to LAN IPs. Already explained. Multiple times.
-
Ok then NAT Reflection it is. Thanks.
-
well for starters using ports to get to different boxes is pretty much a borked work around. Sure you can do that if you only have 1 IP. But the better solution would be to use a reverse proxy if you are limited to 1 public IP. Better solution would be to get more public IPs ;)
And with dok if your hosting these services on other boxes, they should have different names. You could still point them to your single IP and use reverse proxy.
As to not wanting to spend money to get another cert with the different name.. Again your hack is not how you would do it in any real setup. Its a hack/work around to save what amounts to a few bucks in the big picture..
If I am not mistaken you can get EV certs for free from startssl
https://www.startssl.com/NewsDetails?date=20160330While seems like there is still the 200$ validation cost, you don't have to pay a fee for your other certs is the way I read it.
Others I show ev certs are $99 a year.. If what your running is a business then that is part of doing business.. If your not running a business then you sure and the hell do not need EV certs and could just go completely free route for all your different boxes, etc.
-
It is actually one server running different apps that bind to different ports. These are not web servers apps. They are encrypted storage apps each one serves a different purpose and binds to its own unique port but must connect using SSL via a URL.
I currently use Starfield for my certs, just renewed in December. I would have to pay $349 for a multiple domain cert. The budget does not allow for the additional expense. But I can build it in for next year. This is a non-profit business that has tight funding. The beginning of the year is the worse time to get funds. Reason for the EV cert is for HIPAA regulations.
That's why I wanted to know more about NAT Reflection. I care more about security than I do performance.
