NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat"

kevindd992002

I agree that using split-brain DNS is a better solution than NAT Reflection but what if you are using just one free public A record for all your internal services? For example, in my setup:

x.ddns.net -> public IP
plex.home.arpa -> internal IP of PMS
deluge.home.arpa -> internal IP of deluge

I cannot do split-brain with one public A record and two internal A records. For split-brain to work, I would need 1:1 mapping. Of course, that's doable with multiple free DNS hosting services.

johnpoz

Not following you..

Doesn't matter if you have only 1 public IP..

x.ddns.net points to 1.2.3.4 externally - your public IP.

Internally x.ddns.net points to 192.168.1.100 for example.

If you have plex.ddns.net point 1.2.3.4 externally, and you have deluge.ddns.net pointing to 1.2.3.4.

Internally you would just point plex.ddns.net to 192.168.1.100, and deluge.ddns.net point to say 192.168.1.101..

Even if both of those externally just point to your public.. That has nothing to do with what you do internally.

Are you saying if your doing something like https://public.ddns.net:32400 sends you to plex, and https://public.ddns.net:4444 points you to deluge? via your port forwards?

Use a reverse proxy so you can use different names.. on public and not have to worry about the port.. And can point multiple names to the same public IP..

Or just use different public names.. There is nothing saying you can only point X.ddns.net to your public IP.. You can point X and Y and Z.ddns.net to your same public IP..

I am not following what a single IP has to do with not being to use split dns??

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Not following you..

Doesn't matter if you have only 1 public IP..

x.ddns.net points to 1.2.3.4 externally - your public IP.

Internally x.ddns.net points to 192.168.1.100 for example.

If you have plex.ddns.net point 1.2.3.4 externally, and you have deluge.ddns.net pointing to 1.2.3.4.

Internally you would just point plex.ddns.net to 192.168.1.100, and deluge.ddns.net point to say 192.168.1.101..

Even if both of those externally just point to your public.. That has nothing to do with what you do internally.

I guess I did not explain myself properly. I wasn't referring to one public IP. I was referring to one public A record. For example, with No-IP I can only have up to three free A records. What if those three are all taken, one of them is SiteInQuestion.ddns.net and the other two I'm using for two other sites, essentially, I won't be able to differentiate between plex and deluge externally.

It would be a different story if I buy my own DNS hosting service where I can create plex.ddns.net and deluge.ddns.net externally and also create the corresponding internal A records for both, as you explained.

johnpoz

Use a different ddns service then.. Not like there are not 100's to choose from... Not understanding your limit here?

You could set a wildcard *.you.ddns.net all pointing to your public IP, then break out your actual names internally. plex.you.ddns.net, deluge.you.ddns.net etc..

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Use a different ddns service then.. Not like there are not 100's to choose from... Not understanding your limit here?

You could set a wildcard *.you.ddns.net all pointing to your public IP, then break out your actual names internally. plex.you.ddns.net, deluge.you.ddns.net etc..

You're right. There's lot of ways of doing it. I forgot about wildcards, I'll probably do that but it's not like I have a lot of services exposed to the Internet. It's just plex and deluge and I use Guacamole to access the rest or just VPN into my network to access their internal IP's.

johnpoz

Even if you only had 1 service - you could still setup a wildcard on your ddns service. Now you can just use whatever name you want.. And not have to worry about editing your external ddns setup because you only have the 1 IP anyway. And allthings.yourddns.net is going to end up pointing to 1.2.3.4 externally anyway.

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Even if you only had 1 service - you could still setup a wildcard on your ddns service. Now you can just use whatever name you want.. And not have to worry about editing your external ddns setup because you only have the 1 IP anyway. And allthings.yourddns.net is going to end up pointing to 1.2.3.4 externally anyway.

Yes, that makes total sense. I'll have to check for a ddns service that offers a free wildcard then. I don't think No-IP has free wildcards.

aniel

@johnpoz my question/issue was very specific. i didn't asked how to do things differently.

johnpoz

And if you don't tell us this specific thing your doing - how can I look to see what might be going on.

Not an example - what specific... So you just have something.domain.tld forwarded on 443 to 192.168.1.100, and when you try and hit from 192.168.1.101 its not working?

Unless you use proxy vs pure?

aniel

@johnpoz exactly i can access my services either using their local lan ip or using ddns (nat reflection) when using nat+proxy but not when using pure nat. i have read that pure nat is better than nat+proxy and i would also need it once netgate fix this issue: (https://redmine.pfsense.org/issues/7727) and those are the two reason why i need and want to use pure nat.