NAT Reflection with external IP from LAN



  • Hi,

    I'm trying to replace Mikrotik Router with a couple of PFSense dedicated servers. I cant seem to get the server to resolve to external IP internally. When i load the site from the webserver, IIS is always reporting PFSense LAN Active Master IP for the remote client. I've setup the outbound NAT and the external IP is mapped correctly. I followed all the steps in the manual and forum to get NAT Reflection to work but its still showing local address in the logs. Its a problem for me because i have several web services that need to authenticate each other using domain that needs to revolve to correct External IP address.



  • Have you tried "NAT reflection + proxy" mode?



  • @viragomann said in NAT Reflection with external IP from LAN:

    Have you tried "NAT reflection + proxy" mode?

    Yes, doesn't seem to make any difference.



  • It worked as a charm for me. The web-application could access other ones on the same server.

    If you don't get it to work, why don't you set up an internal DNS (split DNS)?



  • @viragomann said in NAT Reflection with external IP from LAN:

    If you don't get it to work, why don't you set up an internal DNS (split DNS)?

    Thank you for quick replies viragomann. My problem is not with accessing the same server from that server. My issue is that the web server is not reporting the correct IP when accessing its self.



  • That's how NAT reflection works.
    If you need the correct origin client IP set up split DNS.



  • @viragomann said in NAT Reflection with external IP from LAN:

    That's how NAT reflection works.
    If you need the correct origin client IP set up split DNS.

    Thats interesting ... so NAT Reflection is always reflecting the internal IP of the PFSense?

    I've actually tried to setup DNS Split using DNS Resolver. On the webserver I've changed the DNS Server to PFSense VIP LAN IP and now its resolving my the actual LAN IP associated with the web server but it is still internal. I've added Host override in the DNS Resolver for the domain > external IP but it doesn't seem to do anything.

    EDIT:
    Last part was not exactly correct ... I just retested it. So when i set Host override domain > external IP i can no longer load the site internally in my browser. I can ping the domain internally and it responds from correct IP. The only way it seems to work is if i set Domain > Internal IP of the web server. Now i can load it internally but my remote IP is now the internal IP i set in the DNS resolver.


  • LAYER 8 Netgate

    When NAT reflection is used to access a server on the same subnet as the connecting client you will lose the source IP address of the client.

    This is because if the server receives a connection from the same subnet it is on, the reply will not go back to the firewall and the firewall TCP state will break.

    This is generally considered poor network design.

    Using Split DNS will solve this problem without NAT reflection.



  • @derelict said in NAT Reflection with external IP from LAN:

    When NAT reflection is used to access a server on the same subnet as the connecting client you will lose the source IP address of the client.

    This is because if the server receives a connection from the same subnet it is on, the reply will not go back to the firewall and the firewall TCP state will break.

    This is generally considered poor network design.

    Using Split DNS will solve this problem without NAT reflection.

    Appreciate your reply. I wish asked this question 3 weeks ago when i setup the boxes.


Log in to reply