NAT Reflection



  • I noticed this in my logs:

    php-fpm[10553]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500

    does this mean that no ports above 500 get NAT Reflection?

    If so, can I change this?

    Thanks.


  • LAYER 8 Global Moderator

    Do you need nat reflection?  Are you currently using nat reflection.  Nat reflection is really to be honest an abomination to how networking and routing should work.  Why would anyone ever want to hairpin a connection?  That is what your doing with nat reflection, at best it is a work around for lazy people..



  • I know exactly what NAT reflection is, and why it is included in this router, because it is a work-around for older software that needs it.  Now maybe you could be less condescending and more helpful on the issue, instead of bashing the features provided by this great routing software.


  • LAYER 8 Global Moderator

    Condescending??  Really…  How about you post up what is not working and or what nat reflection your using and we can discuss..

    I don't have any such entries in my log.. I don' use nat reflection - its actually set to disabled.. What is your setting and use of nat reflection and we can go over if there is an issue with that log entry.

    Older software that needs it like what exactly... There is NO software that would need nat relfection..  Give such an example of this old software that would need nat reflection, if you just resolve what they were looking for to the local IP with simple dns entry.



  • Wanted to put my two cents into the NAT reflection necessity. I just replaced my existing firewall with pfSense and have a formal server DMZ  for servers that are publicly available and guest wireless DMZ in addition to the external and internal interfaces.  I initially created "no-nat" rules to allow desired traffic from the wireless DMZ to the server DMZ and the associated firewall rules. I configured the DNS forwarder to intercept my internal and publicly available domains to be resolved by using split DNS.  The situation I ran into that required Nat Reflection to be enabled for all the publicly available servers in the server DMZ had to do with mobile devices (apple devices like iphones and iPads but I did not test with anything android based). The issue was an inconsistent user experience when browsing to the publicly available sites while on the guest Wifi. If the device had not connected to the site before and did so while on wifi it was fine. However, when the device is no longer on wifi the internal DNS address was being cached on the mobile device and resulting in the page not being able to load. The opposite scenario was also true (access the site externally then attach to the guest wifi and have it not load). The only quick solution I found to this from the mobile device side was to put the device in airplane mode and disable airplane mode. The action of enabling airplane mode flushes the DNS cache of the device and allows the correct address to be queried and the site to be loaded. Of course this was only a per scenario solution as the user has to enable/disable airplane mode whenever they arrive or leave the building.
    While this is not a pfSense problem by any means, IMHO a user should not have to go through this extra step which they do not understand and will probably not remember to do anyway. In this case I described above I feel that NAT Reflection is the only solution that allows access and still maintains a secure network design.

    Thanks,

    Brian


Log in to reply