Reflection issue - hmmm…



  • I have one of my OPT interfaces in use for our wireless network, which is NOT allowed into the main network (VPN must be used for ingress; this is working fine). Our old NetBSD pf firewall would allow connections from this network to reach our 1:1 NATs (to VIPs) on the WAN interface; this is not working for pfSense.

    For example; users on the OPT segment cannot get to the mailserver on the LAN segment using the 1:1 NAT on the WAN interface.

    To clarify my config: Our WAN IP is 216.17.33.87 (all addresses faked for example); we have VIPs on this interface from a routed subnet: 216.17.66.16-216.17.66.31. Our email server is known as 216.17.66.25, and has all appropriate ports allowed through the firewall. When the "world" comes to 216.17.66.25, they reach the mailserver services fine. On the OPT interface, IP 10.7.0.1, the mailserver is unreachable via 216.17.66.25.

    Does anybody know how I can make the OPT interface able to reach the mailserver's VIP?

    Thanks,
    Dave



  • Is it possible that this only works for port forwards, and not 1:1 NATs? I'd try experimenting, but this firewall is in production…

    "Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports"...?





  • That reflection stuff is hard …
    http://forum.pfsense.org/index.php/topic,14572.0.html


Log in to reply