Disable NAT Reflection - strange behaviour

linuxninjas

If you are struggling with NAT reflection when playing with VOIP phones then you might consider this :

When you have the "Disable NAT Reflection" active (box checked) and you then un-check the box meaning that you are actually enabling the creation of reflection rules it
seems that those rules are NOT created for the existing Firewall / NAT / forwarding rules.

As such I needed to delete and recreate the firewall / NAT / forwarding rules and then those reflection rules are created for those newly created firewall / NAT / forwarding rules.

I confirmed this by having a :

• Disable NAT reflection checked
• a port forward rule for ssh to a port 4100
• ssh -p 4100 root@imft.zapto.org    to reach an internal server at imft.org via it's public (dynamic) DNS name did not work

then I unchecked the "Disable NAT reflection" option
ssh -p 4100 root@imft.zapto.org      still did not work

then I deleted the firewall/NAT forwarding rule for 4100
and recreated the exact same 4100

now  ssh -p 4100 root@imft.zapto.org    works like a charm.

My conclusion on this is that simple unchecking the box next to "Disable NAT reflection" won't fix your problem unless you recreate the existing firewall/NAT rules.

Feel free to correct me,  I'm just learning pfsense.

But I do have my asterisk server working in a DMZ network behind  pfsense and SIPphones both inside on the production LAN and outside pfsense can connect nicely to the asterisk server.

The only thing missing is getting my wireless SIP phones working.  These are on another pfsense network segment.  (my blue if you have a ipcop background)