Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Reflection

    Scheduled Pinned Locked Moved NAT
    8 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcol Banned
      last edited by

      Hi all,
      I had an interesting thread that resolved some issues, but what I got out of it was to not use NAT Reflection on my port forwarding.

      No one explained why, just told me to use Split DNS instead. Well, unbound Host Overrides did not work. When I setup a host override and disabled NAT Reflection I was no longer able to get to my local website. Seems doing a web search that others have the same difficulty with host overrides not working or sometimes not working in DNS Resolver. NAT reflection always works with no issue.

      It appears to be how DNS is handled by the host override. It does resolve the host name to my local server IP as proven by a simple trace command but when IIS gets the request it cannot determine the address and fails. Using NAT reflection works fine. I worked on it for a couple of hours and got one site to briefly work as the root, but never with www. Then stopped working altogether.

      I do point my DNS to the Pfsense box, so that isn't the problem. Tried flushing DNS and clearing browser cache.

      My Question is this. Why is it so important to move away from NAT reflection? If I should move to Split DNS, then I need some help getting it to work.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        NAT Reflection is technically a workaround that sends your connection out the firewall and back in again, so it's inefficient and puts more load on the firewall.  It also can cause issues in some cases.  Split DNS makes your system go directly to the resource on the local LAN without touching the firewall at all.  If your system can properly resolve your web server's FQDN to it's local IP address then the firewall isn't involved at all and the issue is with the web server.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Why is it important not to use an abomination in the networking world that should never be used ever??  Especially from a security point of view?

          Sure you will find that home routers that you go get at your local computer store for 20$ do it - because their user base are "users" ;)  And they just want stuff to work without clue one to how and why, etc.

          The inefficiency that KOM mentions of going through your firewall/router to just get back to a box next to you is the mere tip of the iceberg to be honest.  Doing such a thing can also create an asymmetrical problem..  If not just bad hairpinning for no reason at all.

          From a security point of view if you prevent asymmetrical by natting the connection to the webserver as pfsense IP, then the webserver doesn't know the real IP that is talking to it.. So every client on your network that access your webserver will just look like it came from pfsense IP.  So any sort of log info you might find useful are now just junk, if any sort of firewall rule on the webserver pointless because now all connectivity is coming from 1 IP.

          The above is done with a SNAT.. So think of all the things involved and the added complexity involved because your too lazy to setup correct name resolution on your network?  If your trying to access a webserver on same network as you.. Then resolve the URN you want to access to its local IP.. Now your not doing any sort of hairpin, your not sending traffic in and out of your firewall for no reason.  Your server logs will now see the actual IP that is talking to it.  So its logs can be useful and could leverage its own software firewall, etc.  Your performance will be better!!  Since your not using a hairpin, and not having to run it through a speedbump (firewall/router) for no reason.

          Also agree with KOM here, if your resolving the URN your trying to access to the rfc1918 IP address that is on the same network you are, and something is not working then that has something do with that server and or use of proxies or something else, etc.  Fix whatever that issue is would be my suggestion vs using the complete and utter hack/abomination that is nat reflection..

          You want another reason? ;)  How about when you have to explain your setup to any other networking/security/IT person that is not completely useless they won't be thinking in the back of their minds… Ok this person doesn't really have a clue, make sure I use small words and speak slowly..  Ie you won't see their eyes rollback up into their heads and place their palm to their face.. And then they will prob smile back at you real nice... hehehehehehehe

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • D
            dcol Banned
            last edited by

            Guys, this post should be a Wiki. What a wealth of info. Thanks to you.

            I finally got this to work, just needed a reboot after changing setting on the PFsense box
            So here is an example of how to set up Split DNS for those who went through what I did.

            As an example, lets call one site mydomain.com where IIS has bindings to port 80 for mydomain.com and www.mydomain.com
            Create a NAT Port Forwarding rule to send port 80 to IP 192.168.20.2. NAT Reflection should be disabled
            DNS Resolver Host Overrides settings.

            Host - mydomain
            Domain - com
            IP 192.168.20.2

            Alias
            Host - www
            Domain - mydomain.com

            These setting should work after a reboot.

            Thanks

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by

              @dcol:

              My Question is this. Why is it so important to move away from NAT reflection?

              It's not.  Use what is a good fit for your purpose.  Totally up to you.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You shouldn't have to reboot..

                You can not have a blank host.. Your override would be host domain, with the domain being com

                You would then create alias for that host..  See attached example

                
                > dig domain.com
                
                ; <<>> DiG 9.11.0-P1 <<>> domain.com
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15931
                ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;domain.com.                    IN      A
                
                ;; ANSWER SECTION:
                domain.com.             3600    IN      A       192.168.20.2
                
                ;; Query time: 3 msec
                ;; SERVER: 192.168.9.253#53(192.168.9.253)
                ;; WHEN: Sun Dec 04 05:56:13 Central Standard Time 2016
                ;; MSG SIZE  rcvd: 55
                
                > dig www.domain.com
                
                ; <<>> DiG 9.11.0-P1 <<>> www.domain.com
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48575
                ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;www.domain.com.                        IN      A
                
                ;; ANSWER SECTION:
                www.domain.com.         3600    IN      A       192.168.20.2
                
                ;; Query time: 1 msec
                ;; SERVER: 192.168.9.253#53(192.168.9.253)
                ;; WHEN: Sun Dec 04 05:57:25 Central Standard Time 2016
                ;; MSG SIZE  rcvd: 59
                
                

                overrides.png
                overrides.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • D
                  dcol Banned
                  last edited by

                  Johnpoz - Seems to work ok both ways for me. It is now working fine the way I originally described it but I modified my example to fit your way since you have more experience using it than I do. Also, did not work until I rebooted. I think it was because the NAT reflection config was still in there.

                  One other point to make for all trying to use Split DNS. Make sure you use the PFsense LAN IP as your primary DNS server in every device on the LAN.
                  This in my opinion is one of the drawbacks to using Split DNS, But the positives do outweigh the negatives.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    There is nothing saying you have to use pfsense as dns… But you do no need to use a dns that will resolve the fqdn your asking about to your rfc1918 address.  This could be your AD dns, this could be bind running on some other box on your network, etc.

                    If your clients are using say googledns or some other public dns - then no split dns would not work would it ;) Public dns is not going to return your rfc1918 address, and if it did - then that would be a rebinding attack normally.. And not a good idea.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.