Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT reflection bypassing firewall rules

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RP
      last edited by

      If NAT is configured and a firewall rule doesn't exist for that NAT, but NAT reflection is enabled, the internal server on LAN1 is still accessible from a LAN2 interface that has a rule denying all traffic to LAN1. Should this be expected?

      Configuration:
      pfSense 2.3.2
      Interfaces: LAN1, LAN2, WAN
      Server X on LAN1
      NAT rule: destination WAN TCP port 443, redirect target LAN1 internal IP of X TCP Port 443
      No firewall rule on WAN interface for this NAT
      Device Y on the internet cannot access X using the WAN address and TCP Port 443, as expected.
      LAN2 firewall rule deny all to LAN1, highest priority
      No floating rules
      A device, Z, on LAN2, cannot access X using its internal address, as expected.
      NAT reflection enabled, NAT+Proxy
      Z, using the WAN address and TCP port 443, can access X

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Does the firewall rule on the lan1 or 2 allow access to the wan IP.. If so then yes it would bypass any rule on that interface that blocks the other lan because your not going to that other lan your going to the wan IP, to be reflected back in.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • R
          RP
          last edited by

          Johnpoz,

          Thanks for the explanation. Yes, there is an outbound rule on LAN2 allowing traffic everywhere except LAN1.

          Can I assume therefore that with reflection, the reflection happens "before it hits the WAN interface", and therefore takes precedence and the WAN rules are bypassed? I had assumed that the reflection would be subject to the same rules that apply to the WAN interface, which in this case would be the default block rule. It was a little disconcerting to find that the firewall wasn't behaving as I'd expected.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            you need to understand the order that rules are evaluated.

            https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

            You also need to understand that rules are evaluated as traffic enters an interface towards to pfsense.  Wan rule are are only evaluated as traffic enters the wan interface from the wan network or from beyond that (internet).. Traffic coming from your lan would be blocked or allowed by the rules on the interface as the traffic enters pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              RP
              last edited by

              Indeed, but as there was no mention of NAT reflection, I had assumed wrongly that the traffic would also appear to enter the firewall on the WAN side. Clearly from your explanation it does not. Despite working with pfSense since around its inception I've not had this particular scenario crop up before!

              Thanks

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well to be honest nat reflection in itself is an abomination that should be avoided… Its a work around for bad design.. Have yet to hear a valid reason for its use.. You have either hard coded an IP, or don't correctly use dns..

                Users misunderstand the rules all the time.. There are loads of threads where can access the web gui from the wan..  When in fact what they are doing is accessing the wan IP from the lan..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.