Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reflection with multi-port alias forwarding problem (bug?)

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dshields
      last edited by

      I have a NAT entry (and associated firewall rule) to forward IMAP server traffic from a public IP to a private IP.  I'm using a port alias to define the mail server ports (25, 110, 143) and reference that alias in the NAT entry (in both the External Port Range 'from:' field and the Local port field).  I've have also unchecked the 'Disable NAT reflection' option under System->Advanced options to be able to access the same ports from the internal network using the DNS name.  This rule is working fine externally but internally using reflection it always forwards to the first port (SMTP).  If I telnet to port 143 from the internal network, I reach my SMTP server instead of my IMAP server.  The same telnet command from the external network works as expected.

      For now, I've added overrides for my mail server hostnames in the DNS Forwarding service as a workaround but wanted to see if this was a known problem or if I'm doing something wrong.  I could of course break the port alias out into individual NAT/firewall entries but that would defeat the purpose of the alias feature.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's a bug.  You're welcome to open a bug ticket at http://cvstrac.pfsense.org

        don't know it will get much if any attention, as NAT reflection in general sucks and should not be used in any serious environment like this.

        1 Reply Last reply Reply Quote 0
        • jahonixJ
          jahonix
          last edited by

          @cmb:

          …as NAT reflection in general sucks ...

          Maybe a dumb question: What would you prefer to use in such a scenario?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.