1:1 NAT is not working Internal from LAN
I have an Issue with my 1:1 NAT … but don't find any hint at the moment why it is not working. I've searched on the Forum or Google - but no hint or i don't saw it.
I've an ISP Uplink with 16 IPs - x.x.102.125 Gateway, x.x.102.126 pfSense and in this issue, x.x.102.128 for the Webserver.
I've the following Zone inside of the pfSense - WAN, LAN and DMZ.
The 1:1 is going on the external IP (102.126) to the DMZ Zone IP of the Webserver 192.168.152.9
Also a Firewall Rule from TCP/any to TCP/443 and TCP/80 to 192.168.152.9
From External (like Mobile Phone) i can reach the Webserver correctly. Everything fine.
As soon as I'm on the LAN Interface of the pfSense (like being local or over VPN) I can't reach the Webserver anymore over the DNS Name.
I've activated "Pure NAT", "Enable NAT Reflection for 1:1 NAT" and "Enable automatic outbound NAT for Reflection".
The Browser itself is loading, and loading and loading, and after some time it is showing "ERR_CONNECTION_TIMED_OUT"
Maybe someone has some Tipps.
KOM last edited by
Usually one of the NET reflection modes works. Is split DNS not an option for you? DO you have any rules on your LAN that might interfere with DMZ communication?
Sorry for my delay.
Split DNS is not an option for us.
We're blocking traffic from LAN to DMZ and/or DMZ to LAN - but also when I'm allow a "Master" Rule which allows it, it won't work.
What do you mean with Net Reflection Modes works?
KOM last edited by
System - Advanced - Firewall & NAT - Network Address Translation - NAT Reflection mode for port forwards
ScottyDM last edited by
For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS.
I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router.
I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work.
This is my version information:
2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26
2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7 And it's still not working.
Thanks a million.