NAT Reflection 2.3.1 Issue

maxx8888

Hi,

I was using NAT Reflection prior 2.3 normally. I need it for some special Services like Mailserver.
SplitDNS just makes it complicated for me, since every Service need it's own DNS Entry.

My ISP is drei.at, an LTE Internet Connection via LTE Modem.
It seems like NAT Reflection is not reflecting on the pfSense back to the Server.
Instead pfSense seems to forward the Traffic to the LTE Modem.

If e.g. i'm adding a Service on port 80 to an internal Server and enabling NAT Reflection, i'm connecting to the Web Interface of the Modem instead to the internal Server.

LTE Modem Config:
Opt1 Interface, Static IP 192.168.0.254  -> LTE Modem 192.168.0.1

Gateway:
Default Gateway set to Opt1, Gateway IP 192.168.0.1

NAT Rule:
Interface: Opt1
Protocol: TCP
Source: Any
Destination: Opt1 Address
Destination Port: 80
Redirect Target: 192.168.123.28
Target Port: 80

Nat Reflection: Pure or NAT+Proxy -> same Issue

Enable Nat Reflection for 1:1 Nat: checked
Enable automatic outbound NAT for Reflection: checked

I just cannot figure out, what I've configured wrong.

Thanks a lot for helping,
Maxx

NOYB

Don't overlook the relevant settings on the System / Advanced / Admin Access page.

Also, when using port 80 if it is getting redirected to https then you are probably experiencing HSTS and probably need to clear browser cache/cookies.  pfSense 2.3 uses a 1 year HSTS cookie.

Have a look at these.

Re: [SOLVED] NAT Reflection Troubles
https://forum.pfsense.org/index.php?topic=98764.msg550431#msg550431
https://forum.pfsense.org/index.php?topic=98764.msg613696#msg613696

NAT Refection Config Outline
https://forum.pfsense.org/index.php?topic=98764.msg550414#msg550414

maxx8888

I don't think it is related to port 80 Issues on pfSense.

I have this Reflection Issue on all Ports.

If i enable Reflection on port 22 to internal Server 192.168.123.2 (LAN-Port), it is still forwarding this request to 192.168.0.1 (OPT1) to Modem. Modem is then answering instead of the Internal Server.

Is it possible that this happens because DMZ is enabled on Modem?
So,the Internet IP-Address is basically assigned to Modem, and Modem LAN side has 192.168.0.1. OPT1 Interface on pfSense is then 192.168.0.254.

I'm using DMZ, because Modem has really just basic functionality.

So, then this would mean that my home FQDN is resolving to the Internet IP-Address, which is basically the Modem. Basically, pfSense need to know, to reflect traffic locally, and not forward it to Modem.

Is this doable?

NOYB

Is is possible to config the modem in a bridge mode so pfSense picks up the public IP address instead of the modem?

maxx8888

Unfortunatly not. The Modem is a ZTE MF283.
Reallllly just basic Function :).

cmb

The upstream device doing the NAT has to do the reflection in that case.

maxx8888

Really?

So, all Setups where Provider Modems are used are not working with NAT-Reflection.
Strange, that there are not more Users having the same Issue. :-/.

Thanks for clarification!

cmb

NAT reflection only reflects traffic matching the configured port forward. Where there is an upstream NAT device, traffic to your real public IP doesn't meet that qualification. That's true of everything that has NAT reflection.