Configuration of NAT Reflection to access external domain not working



  • All,

    I'm trying to get NAT Reflection working on my LAN, so I access a web site hosted on my LAN using a single (external) address. I have port forwards in place to access this web service and it works just fine when accessed via mobile phone. I've currently configured pfSense to use Pure NAT and I've checked the two checkboxes identified in the documentation.

    Here are nslookup results.
    Server: pfSense.external_domain
    Address: LAN_IPV6_ADDRESS

    Non-authoritative answer:
    Name: external_domain
    Address: WAN_IPV4_ADDRESS

    I don't know what other information to provide, so please advise. TIA.

    FYI: Tried Split DNS, but my port forwards redirect to a different internal port.

    Edit: Here are a few more details.

    • I have a subdomain which is kept up-to-date via DDNS.
    • Unbound custom options contains a private-domain entry for plex.
    • IPv6 is currently preferred. (Is this the problem? nslookup is returning LAN IPv6 address).
    • Version: 2.4.3-RELEASE-p1
    • No host/domain overrides.
    • Default DNS setting retrieved from ISP.
    • DHCP leases/mappings registered in DNS Resolver.

    Are there logs I can review to assist me with troubleshooting?



  • I think you're right...if the NAT port forward is on the WAN and the hostname is resolving to the LAN IP that's not going to work because the packet isn't arriving on the WAN.

    Unfortunately there's not really a log for this AFAIK. Perhaps turn on logging for packets blocked by the default block firewall rule and see what is logged?



  • OH, are you suggesting that the traffic is not routed through the firewall when using NAT reflection?

    Anyway, I managed to get something working with Split DNS, but my Google Home speakers are unable to playback TTS via Home Assistant. I wonder if it's a byproduct of my configuration. Hopefully, one of you can help me identify the issue. Here's what I've done.

    • Added host override for my subdomain. All internal requests to subdomain are now processed by my Home Assistant server. (Note: This is not ideal as I have a few services that I might like to access via subdomain; Can reflection help here?)
    • Installed ufw on Home Assistant server and permitted traffic through 8123 (port hosting Home Assistant)
    • Added a rule for ufw to redirect traffic destined for 443 to 8123.

    That's what I've got so far. I added the base_url for the http component of Home Assistant (it's equivalent to the FQDN for my subdomain). Link 1 | Link 2

    Is my solution unorthodox and could it be contributing to the lack of communication to my google home speakers?



  • With NAT reflection traffic goes through pfSense, but it needs to go to the WAN IP since that is what is being NATted. If you're sending traffic to the LAN IP of pfSense NAT won't happen there if the NAT rule is on the WAN.


  • Netgate

    It actually doesn't go through the firewall to WAN and back. It is redirected on the interface the connection is established into.

    You will probably need to post screenshots.



  • By "through pfSense" I meant a NAT connection touches pfSense. Split DNS would be when the hostname resolves to an internal IP and the connection goes direct to the LAN IP of the server and doesn't touch pfSense. Split DNS should not be necessary if NAT reflection is set up correctly...?



  • @derelict What pages would you like to see? Port Forwards, Firewall Rules, Advanced System Settings? Something else?


  • Netgate

    Port forwards and NAT reflection settings probably.




  • Netgate

    Did you get the webgui off of 80/443?



  • Yep. It's on 8443 now.


  • Netgate

    And the WebGUI http to https redirect is disabled? Port forwards coming into WAN override that but not for NAT-reflected connections.

    Split DNS is a more elegant solution to this problem.



  • +1 split DNS



  • @derelict said in Configuration of NAT Reflection to access external domain not working:

    And the WebGUI http to https redirect is disabled? Port forwards coming into WAN override that but not for NAT-reflected connections.

    Split DNS is a more elegant solution to this problem.

    If this is what you're talking about, then no. I can change it. Let me know. I don't know that it'll have an impact since I'm only listening on 80 when I'm attempting to renew Let's Encrypt certs.
    0_1532552291049_redirect.png

    Did you see my second post about my Split DNS configuration? TTS for Google Home doesn't work when it is configured that way.