Reflection with multi-port alias forwarding problem (bug?)



  • I have a NAT entry (and associated firewall rule) to forward IMAP server traffic from a public IP to a private IP.  I'm using a port alias to define the mail server ports (25, 110, 143) and reference that alias in the NAT entry (in both the External Port Range 'from:' field and the Local port field).  I've have also unchecked the 'Disable NAT reflection' option under System->Advanced options to be able to access the same ports from the internal network using the DNS name.  This rule is working fine externally but internally using reflection it always forwards to the first port (SMTP).  If I telnet to port 143 from the internal network, I reach my SMTP server instead of my IMAP server.  The same telnet command from the external network works as expected.

    For now, I've added overrides for my mail server hostnames in the DNS Forwarding service as a workaround but wanted to see if this was a known problem or if I'm doing something wrong.  I could of course break the port alias out into individual NAT/firewall entries but that would defeat the purpose of the alias feature.

    Thanks.



  • That's a bug.  You're welcome to open a bug ticket at http://cvstrac.pfsense.org

    don't know it will get much if any attention, as NAT reflection in general sucks and should not be used in any serious environment like this.



  • @cmb:

    …as NAT reflection in general sucks ...

    Maybe a dumb question: What would you prefer to use in such a scenario?


Log in to reply