Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT is not working Internal from LAN

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 624 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfs_ch
      last edited by

      Hello

      I have an Issue with my 1:1 NAT … but don't find any hint at the moment why it is not working. I've searched on the Forum or Google - but no hint or i don't saw it.
      I've an ISP Uplink with 16 IPs - x.x.102.125 Gateway, x.x.102.126 pfSense and in this issue, x.x.102.128 for the Webserver.

      I've the following Zone inside of the pfSense - WAN, LAN and DMZ.

      The 1:1 is going on the external IP (102.126) to the DMZ Zone IP of the Webserver 192.168.152.9
      Also a Firewall Rule from TCP/any to TCP/443 and TCP/80 to 192.168.152.9

      From External (like Mobile Phone) i can reach the Webserver correctly. Everything fine.
      As soon as I'm on the LAN Interface of the pfSense (like being local or over VPN) I can't reach the Webserver anymore over the DNS Name.

      I've activated "Pure NAT", "Enable NAT Reflection for 1:1 NAT" and "Enable automatic outbound NAT for Reflection".
      The Browser itself is loading, and loading and loading, and after some time it is showing "ERR_CONNECTION_TIMED_OUT"

      Maybe someone has some Tipps.
      Thank you!

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Usually one of the NET reflection modes works.  Is split DNS not an option for you?  DO you have any rules on your LAN that might interfere with DMZ communication?

        1 Reply Last reply Reply Quote 0
        • P
          pfs_ch
          last edited by

          Sorry for my delay.

          Split DNS is not an option for us.

          We're blocking traffic from LAN to DMZ and/or DMZ to LAN - but also when I'm allow a "Master" Rule which allows it, it won't work.

          What do you mean with Net Reflection Modes works?

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            System - Advanced - Firewall & NAT - Network Address Translation - NAT Reflection mode for port forwards

            1 Reply Last reply Reply Quote 0
            • ScottyDMS
              ScottyDM
              last edited by

              For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS.

              I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router.

              I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work.

              This is my version information: 2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26
              2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7  And it's still not working.

              Thanks a million.

              System_Advanced_Firewall&Nat_NetAddTrans.png
              System_Advanced_Firewall&Nat_NetAddTrans.png_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.