Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split DNS vs NAT Reflection

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mattsl
      last edited by

      @johnpoz:

      Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

      It's not easier because if I'm configuring multiple small sites that's an additional configuration, and one that's hard coded, for every site. It's not more elegant because defeats the potential for redundancy if I want to have things load balanced off site.

      Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

      There will currently be 10 users, and in the future never more than 20, at the local site using this in my implementation. Everything the site is serving locally is dynamic text and all images, etc come from a CDN. I'm pretty sure my firewall running on an 8-core processor can handle the extra traffic.

      @johnpoz:

      And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..

      As mentioned above. No. It's not 1 click. Also, while we might inherently trust our local network, please explain why we should bypass the firewall entirely for local traffic rather than follow the firewall rules that apply to that IP address. That makes no sense at all as it has the potential to be a security issue, And to be honest shouldn't even be a possible thing to do..

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        what does nat reflection have to do with redundancy?  So your saying your public fqdn points to different IP if site A becomes unavailable?  Your dns changes to point to site B?  If so that might be an actual use case that makes sense to use a public IP.

        But since your users are going local anyway.  What is the likelyhood that their local site is down and you would want them to go to some remote site?  What if there internet is down and can not even resolve the public dns?  In the case where you use split your local users would still have access to the site your hosting local, etc.

        Setup your local dns to direct to another site as well if it goes offline..  Not that hard to do with simple script to check, and change the record.

        As to a firewall rule.. If your on the local segment you can put all the firewall rules you want into pfsense doesn't stop me from talking to the box that is on the same L2 as user..  What rules are you putting in place for wan are not taken into account on a nat reflection anyway.  Now if you put your httpd on segment different than your users local then sure you can firewall segment A from segment B and your still not doing nat reflection.

        Your possible use of a fqdn that resolves public might be a possible valid use case, but without understanding the details prob not.  If users in site A can not get to site A because its down.. You more than likely have problem with site A that prob either of higher priority then site A service not being available to the public internet, or could also prevent them from getting to site B, etc.

        If your failover detects that site A is down because can not get to it from public internet because public internet is down at site A, how do users know to go to this other site or even get there, or resolve this public IP in the first place?  So your saying the local site has the public IP already - if so how does it change to the failover site?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.