NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat"

aniel

not sure if this the right place but i notice when using nat+proxy then nat reflection works but when using pure nat then it does not. it this working as design or is something else in place here? tried finding a already open ticket but i couldn't.

johnpoz

What exactly are you trying to accomplish? Nat reflection no matter what mode your trying to do should really be a last choice option working through some messed up application that has your public IP hard coded, or uses external dns that you can not change.

The better solution is not to reflect at all, and just resolve the fqdn to your local IP.

But did you enable the automatic outbound nat for reflection?

If you ask me any sort of nat reflection is just an abomination to all networking in general.. I would only use it if there was no other way.. Like some borked software that had an IP hard coded and no way to fix.. Like the creator of said software has died before you could publicly flog him for his sins..

aniel

@johnpoz yes that setting is enable and am tryiong to access local services using my public/ddns ip address.

johnpoz

Why not just use local dns to resolve the local IP.. This is a much better solution.

aniel

@johnpoz is that a workaround or solution u are offering because like i said this work when using nat+proxy but not when using pure nat, is this working as design or known bug ?

johnpoz

The correct way to access local resources is to just resolve the fqdn to the local IP - and not use the abomination that is reflection.

If you are insistent on using reflection - why do you care if its pure+nat or proxy? Both provide the same service of hairpinning your traffic and using up resources for no reason, and having your firewall do something that it shouldn't have to do.

Are you trying to use some protocol other than tcp or udp? If your saying its working with proxy+nat.. I have to believe its tcp or udp.

Why do you think you want/need to use pure vs proxy - if your saying it works with proxy.. Are you trying to do like more than 500 ports or something?

What interface are you using - the auto outbound nat for reflection doesn't work on all types of interface..

Are you just doing say 80 or 443 off your public IP to a local resource.. With both devices client and server on the lan? If had some details I could try and duplicate what your doing to see what might be going on.

aniel

@johnpoz am sorry for my ignorance am not tech savvy on pfsense, i can provide any detail u need as long u walk me through or if know how to get the info to u. all i know is that if nat+proxy is use then i can access local services such as 192.168.1.x:5000 (dsm diskstation) using my public/ddns address but i can't if pure nat is use. now i will need pure nat in the future once u guys fix this:
https://redmine.pfsense.org/issues/7727
https://forum.netgate.com/topic/154153/test-request-upnp-fix-for-multiple-consoles-playing-the-same-game-static-port-outbound-nat

johnpoz

@aniel said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

192.168.1.x:5000 (dsm diskstation)

Dude you have your dsm open to the public?? That is NOT a good idea at all!!

I also have a synology nas.. So I could for sure duplicate that.. Why would you do that.. Not a secure Idea to open that to the public internet..

I access DSM pretty much every single day, multiple times a day.. Just hit it via is local dns name in my case nas.local.lan.. I have this as entry in my pfsense dns..

edit: BTW - its not "u" guys.. Its the netgate/pfsense guys - I have nothing to do with.. I am just a glorified garbage man deleting spam ;) hehehe... Nothing more than a user like you with the ability to delete spam off the forum ;)

aniel

@johnpoz i was using dsm just as an example

johnpoz

Ok thats good to know :)

We could use that I guess to try and duplicate what your seeing. But would it be safer to say just a https service.. I could open up a service, and then test doing nat reflection. I do have a service open on 443.. But I just bounce off the reverse proxy.. Since its a way of testing the reverse proxy that my users would be hitting at the same time.. And I have that doing ssl offload as well - so it serves a purpose to bounce off the proxy..

So is your big concern upnp stuff? To why you want to use pure vs proxy? Just trying to figure out exactly what your doing so I can duplicate it to see what could be the issue.

If you hadn't guessed - I not a fan of reflection ;) But more than happy to test what your doing to figure out what could be the problem.

kevindd992002

I agree that using split-brain DNS is a better solution than NAT Reflection but what if you are using just one free public A record for all your internal services? For example, in my setup:

x.ddns.net -> public IP
plex.home.arpa -> internal IP of PMS
deluge.home.arpa -> internal IP of deluge

I cannot do split-brain with one public A record and two internal A records. For split-brain to work, I would need 1:1 mapping. Of course, that's doable with multiple free DNS hosting services.

johnpoz

Not following you..

Doesn't matter if you have only 1 public IP..

x.ddns.net points to 1.2.3.4 externally - your public IP.

Internally x.ddns.net points to 192.168.1.100 for example.

If you have plex.ddns.net point 1.2.3.4 externally, and you have deluge.ddns.net pointing to 1.2.3.4.

Internally you would just point plex.ddns.net to 192.168.1.100, and deluge.ddns.net point to say 192.168.1.101..

Even if both of those externally just point to your public.. That has nothing to do with what you do internally.

Are you saying if your doing something like https://public.ddns.net:32400 sends you to plex, and https://public.ddns.net:4444 points you to deluge? via your port forwards?

Use a reverse proxy so you can use different names.. on public and not have to worry about the port.. And can point multiple names to the same public IP..

Or just use different public names.. There is nothing saying you can only point X.ddns.net to your public IP.. You can point X and Y and Z.ddns.net to your same public IP..

I am not following what a single IP has to do with not being to use split dns??

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Not following you..

Doesn't matter if you have only 1 public IP..

x.ddns.net points to 1.2.3.4 externally - your public IP.

Internally x.ddns.net points to 192.168.1.100 for example.

If you have plex.ddns.net point 1.2.3.4 externally, and you have deluge.ddns.net pointing to 1.2.3.4.

Internally you would just point plex.ddns.net to 192.168.1.100, and deluge.ddns.net point to say 192.168.1.101..

Even if both of those externally just point to your public.. That has nothing to do with what you do internally.

I guess I did not explain myself properly. I wasn't referring to one public IP. I was referring to one public A record. For example, with No-IP I can only have up to three free A records. What if those three are all taken, one of them is SiteInQuestion.ddns.net and the other two I'm using for two other sites, essentially, I won't be able to differentiate between plex and deluge externally.

It would be a different story if I buy my own DNS hosting service where I can create plex.ddns.net and deluge.ddns.net externally and also create the corresponding internal A records for both, as you explained.

johnpoz

Use a different ddns service then.. Not like there are not 100's to choose from... Not understanding your limit here?

You could set a wildcard *.you.ddns.net all pointing to your public IP, then break out your actual names internally. plex.you.ddns.net, deluge.you.ddns.net etc..

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Use a different ddns service then.. Not like there are not 100's to choose from... Not understanding your limit here?

You could set a wildcard *.you.ddns.net all pointing to your public IP, then break out your actual names internally. plex.you.ddns.net, deluge.you.ddns.net etc..

You're right. There's lot of ways of doing it. I forgot about wildcards, I'll probably do that but it's not like I have a lot of services exposed to the Internet. It's just plex and deluge and I use Guacamole to access the rest or just VPN into my network to access their internal IP's.

johnpoz

Even if you only had 1 service - you could still setup a wildcard on your ddns service. Now you can just use whatever name you want.. And not have to worry about editing your external ddns setup because you only have the 1 IP anyway. And allthings.yourddns.net is going to end up pointing to 1.2.3.4 externally anyway.

kevindd992002

@johnpoz said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

Even if you only had 1 service - you could still setup a wildcard on your ddns service. Now you can just use whatever name you want.. And not have to worry about editing your external ddns setup because you only have the 1 IP anyway. And allthings.yourddns.net is going to end up pointing to 1.2.3.4 externally anyway.

Yes, that makes total sense. I'll have to check for a ddns service that offers a free wildcard then. I don't think No-IP has free wildcards.

aniel

@johnpoz my question/issue was very specific. i didn't asked how to do things differently.

johnpoz

And if you don't tell us this specific thing your doing - how can I look to see what might be going on.

Not an example - what specific... So you just have something.domain.tld forwarded on 443 to 192.168.1.100, and when you try and hit from 192.168.1.101 its not working?

Unless you use proxy vs pure?

aniel

@johnpoz exactly i can access my services either using their local lan ip or using ddns (nat reflection) when using nat+proxy but not when using pure nat. i have read that pure nat is better than nat+proxy and i would also need it once netgate fix this issue: (https://redmine.pfsense.org/issues/7727) and those are the two reason why i need and want to use pure nat.