NAT Hairpining / Reflection / loopback [Solved]

  • Hello,

    I have problem with NAT Reflection, or maybe it has problem with me:).
    I am really excited about pfSense, on my current network I have split DNS, but I would like to have NAT Reflection instead.

    So before I will be changing anything on my network I simulate it with VM's.
    I drew beautiful picture describing topology of VM world (pfSenseNATsenario.jpg).

    on internalsrv is DNS server (any hostname is translated to and apache web server.

    Second picture shows how I set Port Forward, and third picture shows NAT settings in > System | Advanced | Firewall & NAT.

    From "external1" is everything fine and I can access it the way I want it.
    From "internal1" when I type domain name or public ip address ( I get error that web is not available.

    Version of pfSense is 2.3.2.

    Could you help me? Did I set anything wrongly?

    I appreciate every help.



    ![Port Forward.JPG](/public/imported_attachments/1/Port Forward.JPG)
    ![Port Forward.JPG_thumb](/public/imported_attachments/1/Port Forward.JPG_thumb)
    ![nat settings.JPG](/public/imported_attachments/1/nat settings.JPG)
    ![nat settings.JPG_thumb](/public/imported_attachments/1/nat settings.JPG_thumb)

  • Could you help me? Did I set anything wrongly?

    Split DNS is the preferred way to handle it.  If you already had it working with split DNS, why would you want to go back to the NAT Reflection hack?

  • LAYER 8 Global Moderator

    "but I would like to have NAT Reflection instead."

    For what reason?  Its a much cleaner setup to use split dns, where your external domains resolve to your internal IP when your internal to your network.

    Curious why your forwarding 53, so you provide dns to the public internet for these domains?  That's normally a really bad idea..

  • Hello KOM,

    i read that is preferred and that hairpining could cause issuses,
    but I can't help, when i have more domains that I want to access from both external and internal it's more pleasant how I imagine,
    anyway, I want atleast to try it.


  • LAYER 8 Global Moderator

    More pleasant?  How is hairpin on every single connection to a server that sits on your local network more pleasant?

    Lets say you have 100 domains.. Its as simple as putting those 100 domains into a file and loading it in unbound with simple command in the custom box.  If you have a handful of them just use the gui..  It really would be like 1 minute to setup and then your done and don't have to worry about the "hack" as KOM put it and I agree with would be the correct term.. Abomination would be another term I would use for such as setup as well, borked also comes to mind ;)

  • Have a look at these.  See if they contain anything relevant to your issue.

    NAT Reflection and HSTS Documentation

    NAT Reflection Troubles

    [SOLVED] Re: NAT Reflection Troubles

  • Hello,

    thanks for the links,
    I'll try them.

    I didn't know that Reflection is that evil,
    maybe I stick with split DNS, but I have to get the reflection working, atleast with VM's:)
    Thank you, once again.


  • Ok,

    thanks, links helped me in a way I wouldn't expect.
    I did not try to access other external address,
    after I could not even ping external client (with firewall off) I looked on network settings,
    and there was it, internal client got from DHCP ip address, mask, DNS server but no gateway!!
    Problem solved. Everything was working fine.



  • LAYER 8 Global Moderator

    So are you using nat reflection or split dns??

  • In VM NAT reflection, on real network Split DNS.