Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Reflection only working after adding NAT rule on LAN interface too

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 252 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MichaelDV
      last edited by MichaelDV

      Hi guys,

      I have run into the following issue on a pfSense (this one is on a 2.4.4-p3 but I have seen the same issue happen on other ones aswell). It's a typical scenario where you need NAT reflection (split DNS is not an option as there is another party managing the DNS for this network and they are not up for doing that change):

      Basically the network behind the pfsense has IP camera's that need to be reachable via one of the virtual IPs on the firewall. However from the inside they cannot reach them. When we test from a local subnet behind the pfSense, this seems to be correct, and does not work (i'll ommit some IPs for obvious reasons):

      <cpe>telnet vpn-instance <omitted> -a 10.10.14.1 <virtual ip> 8080
      Press CTRL_] to quit telnet mode
      Trying <omitted> ...
      Error: Can't connect to the remote host

      This is simply configured with a NAT port forward on the WAN interface, from the virtual IP to the internal IPnatrflection-1.png

      If I enable NAT Reflection on this rule, it changes nothing and I get the same endresult.

      If I, however, add the following rule towards the LAN interface (notice the lack of filter rule btw), it works:
      natrflection-2.png

      <cpe>telnet vpn-instance <omitted> -a 10.10.14.1 <virtual ip> 8080
      Press CTRL_] to quit telnet mode
      Trying <virtual ip> ...
      Connected to <virtual ip> ...

      And on the pfSense in the States table:
      States
      LAN tcp 10.10.14.1:63169 -> 10.14.14.56:8080 (<virtual ip>:8080) ESTABLISHED:ESTABLISHED 3 / 2 133 B / 84 B

      So it seems I never got NAT reflection working as it should, can anyone explain me what I am missing or why it actually works when I add the rule towards the LAN interface above? I would love to know how to configure it properly..

      And if I need to provide more information, happy to do so obviously!

      Thanks in advance! :)
      edit: formatting

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.