• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT Reflection with external IP from LAN

Scheduled Pinned Locked Moved NAT
9 Posts 3 Posters 785 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rusoo7
    last edited by Jan 25, 2019, 2:26 PM

    Hi,

    I'm trying to replace Mikrotik Router with a couple of PFSense dedicated servers. I cant seem to get the server to resolve to external IP internally. When i load the site from the webserver, IIS is always reporting PFSense LAN Active Master IP for the remote client. I've setup the outbound NAT and the external IP is mapped correctly. I followed all the steps in the manual and forum to get NAT Reflection to work but its still showing local address in the logs. Its a problem for me because i have several web services that need to authenticate each other using domain that needs to revolve to correct External IP address.

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Jan 25, 2019, 2:41 PM

      Have you tried "NAT reflection + proxy" mode?

      R 1 Reply Last reply Jan 25, 2019, 2:42 PM Reply Quote 0
      • R
        rusoo7 @viragomann
        last edited by Jan 25, 2019, 2:42 PM

        @viragomann said in NAT Reflection with external IP from LAN:

        Have you tried "NAT reflection + proxy" mode?

        Yes, doesn't seem to make any difference.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by Jan 25, 2019, 2:47 PM

          It worked as a charm for me. The web-application could access other ones on the same server.

          If you don't get it to work, why don't you set up an internal DNS (split DNS)?

          R 1 Reply Last reply Jan 25, 2019, 2:50 PM Reply Quote 0
          • R
            rusoo7 @viragomann
            last edited by Jan 25, 2019, 2:50 PM

            @viragomann said in NAT Reflection with external IP from LAN:

            If you don't get it to work, why don't you set up an internal DNS (split DNS)?

            Thank you for quick replies viragomann. My problem is not with accessing the same server from that server. My issue is that the web server is not reporting the correct IP when accessing its self.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by Jan 25, 2019, 2:54 PM

              That's how NAT reflection works.
              If you need the correct origin client IP set up split DNS.

              R 1 Reply Last reply Jan 25, 2019, 3:04 PM Reply Quote 0
              • R
                rusoo7 @viragomann
                last edited by rusoo7 Jan 25, 2019, 3:34 PM Jan 25, 2019, 3:04 PM

                @viragomann said in NAT Reflection with external IP from LAN:

                That's how NAT reflection works.
                If you need the correct origin client IP set up split DNS.

                Thats interesting ... so NAT Reflection is always reflecting the internal IP of the PFSense?

                I've actually tried to setup DNS Split using DNS Resolver. On the webserver I've changed the DNS Server to PFSense VIP LAN IP and now its resolving my the actual LAN IP associated with the web server but it is still internal. I've added Host override in the DNS Resolver for the domain > external IP but it doesn't seem to do anything.

                EDIT:
                Last part was not exactly correct ... I just retested it. So when i set Host override domain > external IP i can no longer load the site internally in my browser. I can ping the domain internally and it responds from correct IP. The only way it seems to work is if i set Domain > Internal IP of the web server. Now i can load it internally but my remote IP is now the internal IP i set in the DNS resolver.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Jan 25, 2019, 3:12 PM

                  When NAT reflection is used to access a server on the same subnet as the connecting client you will lose the source IP address of the client.

                  This is because if the server receives a connection from the same subnet it is on, the reply will not go back to the firewall and the firewall TCP state will break.

                  This is generally considered poor network design.

                  Using Split DNS will solve this problem without NAT reflection.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  R 1 Reply Last reply Jan 25, 2019, 3:17 PM Reply Quote 0
                  • R
                    rusoo7 @Derelict
                    last edited by Jan 25, 2019, 3:17 PM

                    @derelict said in NAT Reflection with external IP from LAN:

                    When NAT reflection is used to access a server on the same subnet as the connecting client you will lose the source IP address of the client.

                    This is because if the server receives a connection from the same subnet it is on, the reply will not go back to the firewall and the firewall TCP state will break.

                    This is generally considered poor network design.

                    Using Split DNS will solve this problem without NAT reflection.

                    Appreciate your reply. I wish asked this question 3 weeks ago when i setup the boxes.

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received