Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN NAT Reflection Understanding

    NAT
    3
    5
    561
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP
      planedrop
      last edited by

      Been trying to wrap my brain around this one but I can't seem to figure out the solution. I know the best way to do this is with host overrides, and I plan to do that in the future but I want to understand this for my own educations sake.

      I have a minecraft server running on default ports in a DMZ, said DMZ is connected to WAN1, I can see and connect to the MC server from an external IP so I know the server is working and the port forward is working.

      However, when I try to connect from a PC in LAN that is using WAN2 (completely different IP address) I can't connect to the server in the DMZ.

      I have NAT reflection enabled, and I think this is mucking with it but I'm not sure what the solution is. I can packet capture and see the PC sending a request to WAN1IP:25565 but never see that appear on a WAN1 packet capture or a DMZ packet capture.

      Any idea what is happening here? Something to do with reflection is damaging this I'm sure.

      cmcdonaldC V 2 Replies Last reply Reply Quote 0
      • cmcdonaldC
        cmcdonald Netgate Developer @planedrop
        last edited by cmcdonald

        @planedrop Do you really need to do NAT reflection? Split-brain DNS is way better...if you've got the means and infrastructure to pull it off. Split brain DNS is basically just different records depending on if you're internal or external. So say you're domain is mc.example.com the A record returned by public DNS would be the external WAN IP. But for internal clients, you'd just configure Unbound to return your RFC1918 address instead. Clients are smart enough to flush DNS cache when bouncing around between networks, at least they should be.

        Really the question is not how to make NAT reflection work, but how to accomplish the desired behavior without NAT reflection. Eventually too you'll find weird edge cases where certain applications just absolutely tip over when reached via NAT reflection. It's a hack. I'd recommend avoiding it.

        Need help fast? https://www.netgate.com/support

        planedropP 1 Reply Last reply Reply Quote 0
        • planedropP
          planedrop @cmcdonald
          last edited by

          @theonemcdonald I'm definitely right there with you, and that is the end game plan anyway. But this is something I still want to troubleshoot and understand myself if possible. In some edge case in the future where I really need NAT reflection, not that it's even likely to come up, I'd like to understand it better.

          I've had NAT reflection working plenty with single WAN before but the second WAN is confusing me (trying to connect cross WAN so to speak).

          I'm not even sure how to describe what I'm thinking NAT reflection is doing with dual WAN though, so it's hard to figure out what I'm missing in specific.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @planedrop
            last edited by

            @planedrop said in Multi WAN NAT Reflection Understanding:

            However, when I try to connect from a PC in LAN that is using WAN2 (completely different IP address) I can't connect to the server in the DMZ.

            I guess, that means you're policy routing the traffic from the LAN to the WAN2 gateway.
            To access the DMZ host you need to add a pass rule for that destination above the policy routing without a gateway specified.

            planedropP 1 Reply Last reply Reply Quote 0
            • planedropP
              planedrop @viragomann
              last edited by

              @viragomann Thanks, this just might work, appreciate the input!! Sorry for not getting back sooner, been a busy weekend rebuilding a small datacenter lol.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post