Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reflection NAT using WAN Address as Source IP

    Scheduled Pinned Locked Moved
    NAT
    2
    2
    627
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi
      I have configured Reflection NAT in my lab to test a DNS View problem. The DNS server is configured with an internal LAN IP address and has two DNS views, all queries from the internal lan are processed on the DNS Internal view. All queries to the DNS server public address are port forwarded to the internal DNS server and are correctly resolved using the external DNS view.

      In order to allow the internal clients to resolve the public DNS zones I have created a DNS forward zone to foward to the public DNS server IP addresses. When I attempt this query it is refused because the Reflection NAT causes the DNS query to come from the pfsense LAN address.

      If I set the match client list for the internal DNS view to block queries from the pfsense LAN IP address then the query is processed correctly but pfsense can not query the internal Zones.

      Is possible to get Reflection NAT to use the WAN address as the source address or do I have to create individual NAT rules?

      Could having check box option for Reflection NAT to use the WAN address instead of the LAN address be a feature request?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @A Former User
        last edited by

        @vortex21 said in Reflection NAT using WAN Address as Source IP:

        I have configured Reflection NAT in my lab to test a DNS View problem. The DNS server is configured with an internal LAN IP address and has two DNS views, all queries from the internal lan are processed on the DNS Internal view.

        I'm wondering about the reason for using NAT reflection.
        Why don't you simply forward packets to the DNS servers.

        Is possible to get Reflection NAT to use the WAN address as the source address or do I have to create individual NAT rules?

        Yes, you will need to add an outbound NAT rule for that.

        You might have to switch into hybrid mode if the outbound NAT is still working in automatic.
        Add a rule and limit the protocoll to TCP/UDP and the port to 53 (or even 853 in case of DoT) and enter the DNS servers IP at destination, go down and select the WAN IP from the Translation address drop-down.

        Anyway, when forwarding DNS requests, an outbound NAT rule will be needed as well.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.