Disable NAT Reflection - strange behaviour



  • If you are struggling with NAT reflection when playing with VOIP phones then you might consider this :

    When you have the "Disable NAT Reflection" active (box checked) and you then un-check the box meaning that you are actually enabling the creation of reflection rules it
    seems that those rules are NOT created for the existing Firewall / NAT / forwarding rules.

    As such I needed to delete and recreate the firewall / NAT / forwarding rules and then those reflection rules are created for those newly created firewall / NAT / forwarding rules.

    I confirmed this by having a :

    • Disable NAT reflection checked
    • a port forward rule for ssh to a port 4100
    • ssh -p 4100 root@imft.zapto.org    to reach an internal server at imft.org via it's public (dynamic) DNS name did not work

    then I unchecked the "Disable NAT reflection" option
    ssh -p 4100 root@imft.zapto.org      still did not work

    then I deleted the firewall/NAT forwarding rule for 4100
    and recreated the exact same 4100

    now  ssh -p 4100 root@imft.zapto.org    works like a charm.

    My conclusion on this is that simple unchecking the box next to "Disable NAT reflection" won't fix your problem unless you recreate the existing firewall/NAT rules.

    Feel free to correct me,  I'm just learning pfsense.

    But I do have my asterisk server working in a DMZ network behind  pfsense and SIPphones both inside on the production LAN and outside pfsense can connect nicely to the asterisk server.

    The only thing missing is getting my wireless SIP phones working.  These are on another pfsense network segment.  (my blue if you have a ipcop background)


Log in to reply