NAT Reflection 2.3.1 Issue



  • Hi,

    I was using NAT Reflection prior 2.3 normally. I need it for some special Services like Mailserver.
    SplitDNS just makes it complicated for me, since every Service need it's own DNS Entry.

    My ISP is drei.at, an LTE Internet Connection via LTE Modem.
    It seems like NAT Reflection is not reflecting on the pfSense back to the Server.
    Instead pfSense seems to forward the Traffic to the LTE Modem.

    If e.g. i'm adding a Service on port 80 to an internal Server and enabling NAT Reflection, i'm connecting to the Web Interface of the Modem instead to the internal Server.

    LTE Modem Config:
    Opt1 Interface, Static IP 192.168.0.254  -> LTE Modem 192.168.0.1

    Gateway:
    Default Gateway set to Opt1, Gateway IP 192.168.0.1

    NAT Rule:
    Interface: Opt1
    Protocol: TCP
    Source: Any
    Destination: Opt1 Address
    Destination Port: 80
    Redirect Target: 192.168.123.28
    Target Port: 80

    Nat Reflection: Pure or NAT+Proxy -> same Issue

    Enable Nat Reflection for 1:1 Nat: checked
    Enable automatic outbound NAT for Reflection: checked

    I just cannot figure out, what I've configured wrong.

    Thanks a lot for helping,
    Maxx



  • Don't overlook the relevant settings on the System / Advanced / Admin Access page.

    Also, when using port 80 if it is getting redirected to https then you are probably experiencing HSTS and probably need to clear browser cache/cookies.  pfSense 2.3 uses a 1 year HSTS cookie.

    Have a look at these.

    Re: [SOLVED] NAT Reflection Troubles
    https://forum.pfsense.org/index.php?topic=98764.msg550431#msg550431
    https://forum.pfsense.org/index.php?topic=98764.msg613696#msg613696

    NAT Refection Config Outline
    https://forum.pfsense.org/index.php?topic=98764.msg550414#msg550414



  • I don't think it is related to port 80 Issues on pfSense.

    I have this Reflection Issue on all Ports.

    If i enable Reflection on port 22 to internal Server 192.168.123.2 (LAN-Port), it is still forwarding this request to 192.168.0.1 (OPT1) to Modem. Modem is then answering instead of the Internal Server.

    Is it possible that this happens because DMZ is enabled on Modem?
    So,the Internet IP-Address is basically assigned to Modem, and Modem LAN side has 192.168.0.1. OPT1 Interface on pfSense is then 192.168.0.254.

    I'm using DMZ, because Modem has really just basic functionality.

    So, then this would mean that my home FQDN is resolving to the Internet IP-Address, which is basically the Modem. Basically, pfSense need to know, to reflect traffic locally, and not forward it to Modem.

    Is this doable?



  • Is is possible to config the modem in a bridge mode so pfSense picks up the public IP address instead of the modem?



  • Unfortunatly not. The Modem is a ZTE MF283.
    Reallllly just basic Function :).



  • The upstream device doing the NAT has to do the reflection in that case.



  • Really?

    So, all Setups where Provider Modems are used are not working with NAT-Reflection.
    Strange, that there are not more Users having the same Issue. :-/.

    Thanks for clarification!



  • NAT reflection only reflects traffic matching the configured port forward. Where there is an upstream NAT device, traffic to your real public IP doesn't meet that qualification. That's true of everything that has NAT reflection.