NAT reflection bypassing firewall rules
If NAT is configured and a firewall rule doesn’t exist for that NAT, but NAT reflection is enabled, the internal server on LAN1 is still accessible from a LAN2 interface that has a rule denying all traffic to LAN1. Should this be expected?
Interfaces: LAN1, LAN2, WAN
Server X on LAN1
NAT rule: destination WAN TCP port 443, redirect target LAN1 internal IP of X TCP Port 443
No firewall rule on WAN interface for this NAT
Device Y on the internet cannot access X using the WAN address and TCP Port 443, as expected.
LAN2 firewall rule deny all to LAN1, highest priority
No floating rules
A device, Z, on LAN2, cannot access X using its internal address, as expected.
NAT reflection enabled, NAT+Proxy
Z, using the WAN address and TCP port 443, can access X
Does the firewall rule on the lan1 or 2 allow access to the wan IP… If so then yes it would bypass any rule on that interface that blocks the other lan because your not going to that other lan your going to the wan IP, to be reflected back in.
Thanks for the explanation. Yes, there is an outbound rule on LAN2 allowing traffic everywhere except LAN1.
Can I assume therefore that with reflection, the reflection happens “before it hits the WAN interface”, and therefore takes precedence and the WAN rules are bypassed? I had assumed that the reflection would be subject to the same rules that apply to the WAN interface, which in this case would be the default block rule. It was a little disconcerting to find that the firewall wasn’t behaving as I’d expected.
you need to understand the order that rules are evaluated.
You also need to understand that rules are evaluated as traffic enters an interface towards to pfsense. Wan rule are are only evaluated as traffic enters the wan interface from the wan network or from beyond that (internet)… Traffic coming from your lan would be blocked or allowed by the rules on the interface as the traffic enters pfsense.
Indeed, but as there was no mention of NAT reflection, I had assumed wrongly that the traffic would also appear to enter the firewall on the WAN side. Clearly from your explanation it does not. Despite working with pfSense since around its inception I’ve not had this particular scenario crop up before!
Well to be honest nat reflection in itself is an abomination that should be avoided… Its a work around for bad design… Have yet to hear a valid reason for its use… You have either hard coded an IP, or don’t correctly use dns…
Users misunderstand the rules all the time… There are loads of threads where can access the web gui from the wan… When in fact what they are doing is accessing the wan IP from the lan…