1:1 NAT is not working Internal from LAN

  • Hello

    I have an Issue with my 1:1 NAT … but don't find any hint at the moment why it is not working. I've searched on the Forum or Google - but no hint or i don't saw it.
    I've an ISP Uplink with 16 IPs - x.x.102.125 Gateway, x.x.102.126 pfSense and in this issue, x.x.102.128 for the Webserver.

    I've the following Zone inside of the pfSense - WAN, LAN and DMZ.

    The 1:1 is going on the external IP (102.126) to the DMZ Zone IP of the Webserver
    Also a Firewall Rule from TCP/any to TCP/443 and TCP/80 to

    From External (like Mobile Phone) i can reach the Webserver correctly. Everything fine.
    As soon as I'm on the LAN Interface of the pfSense (like being local or over VPN) I can't reach the Webserver anymore over the DNS Name.

    I've activated "Pure NAT", "Enable NAT Reflection for 1:1 NAT" and "Enable automatic outbound NAT for Reflection".
    The Browser itself is loading, and loading and loading, and after some time it is showing "ERR_CONNECTION_TIMED_OUT"

    Maybe someone has some Tipps.
    Thank you!

  • Usually one of the NET reflection modes works.  Is split DNS not an option for you?  DO you have any rules on your LAN that might interfere with DMZ communication?

  • Sorry for my delay.

    Split DNS is not an option for us.

    We're blocking traffic from LAN to DMZ and/or DMZ to LAN - but also when I'm allow a "Master" Rule which allows it, it won't work.

    What do you mean with Net Reflection Modes works?

  • System - Advanced - Firewall & NAT - Network Address Translation - NAT Reflection mode for port forwards

  • For me NAT reflection works on port forwarding, but not on 1:1 NAT, just as it doesn't work for pfs_ch. Like pfs_ch I too have a block of static IPs, and I've chosen to use 1:1 NAT (another option for me might be bridging). Besides wanting to use all my public IP addresses, I have at least one protocol that cannot work with port forwarding. And another that does not work with split DNS.

    I got my setup to work by adding a cheap consumer-grade router between LAN and WAN, with a static route to push DMZ-bound traffic from the LAN through pfSense rather than through the cheap router.

    I should not have to do this. pfSense should reflect packets when told to do so, but either I'm telling it wrong or there's a bug in the code. The attached screen shot shows my settings for: System / Advanced / Firewall & NAT / Network Address Translation. How do we (including pfs_ch here) make this work.

    This is my version information: 2.3.5-RELEASE-p1 (amd64); built on Tue Dec 12 13:31:23 CST 2017; FreeBSD 10.3-RELEASE-p26
    2.4.3-RELEASE (amd64); built on Mon Mar 26 18:02:04 CDT 2018; FreeBSD 11.1-RELEASE-p7  And it's still not working.

    Thanks a million.

Log in to reply