Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable NAT reflection for some NAT rules

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      infratek
      last edited by

      Hello,

      Do you know if it's possible to disable NAT reflection just for some specific NAT rules and let it enabled for all the other rules ?

      Another related question is : How does pfsense decide if a reflection NAT rule should be created for an interface ? What is the criteria to consider an interface as internal ?

      To give you the context, I'm running a Dual Wan config (interface WAN and OPT1 are my internet connections) with 4 internal LANs (LAN, OPT2, OPT3, OPT4).

      I have enabled NAT reflection to reach WAN/OPT1 public's ips from LAN/OPT2/OPT3/OPT4.

      This works fine.

      My issue is with the following NAT ruleset. I need to do source routing port forwarding.
      The goal is to redirect outgoing traffic to "any" on port 9080/tcp to internal servers with different ips, depending where the traffic is coming from.

      I have configured the following in the port forward section (em1=LAN, em2=OPT2, em3=OPT3, em4=OPT4).

      rdr on em1 proto tcp from any to any port { 9080 } -> 192.168.128.70 (if traffic if coming from em1 to any on port 9080, redirect it to 192.168.128.70)
      rdr on em2 proto tcp from any to any port { 9080 } -> 192.168.129.83 (if traffic if coming from em2 to any on port 9080, redirect it to 192.168.129.83)

      Without NAT reflection, this does work.
      With NAT reflection, the following is created just after the 1st NAT rule :

      Reflection redirects

      rdr on $lan proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19084
      rdr on $OPT2 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19085
      rdr on $OPT3 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19086
      rdr on $OPT4 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19087

      And from there, my second NAT rule is useless as from now, every connection to "any" on port "9080" matches the 1st NAT rules and is redirected to 192.168.128.70.
      That's why I'd like do disable NAT reflection only for this perticular case.
      Is it possible ?
      Or maybe let pfsense that it doesn't need to create NAT reflection as no public ip is configured here, only "internal" interfaces.

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • D
        drees
        last edited by

        @infratek:

        Do you know if it's possible to disable NAT reflection just for some specific NAT rules and let it enabled for all the other rules ?

        Not currently, but seems like a nice feature to add for v2!   ;)

        @infratek:

        Another related question is : How does pfsense decide if a reflection NAT rule should be created for an interface ? What is the criteria to consider an interface as internal ?

        It looks for a gateway address on the interface.  If it has a gateway interface, it won't set up a nat reflection rule on it.

        pfSense attempts to set up port forwarding rules for the first 1000[1] rules it sees.  So I guess, you could set up a bogus port forwarding rule that spans a bunch of ports, then any rules below that won't have a port forwarding rule created for it.

        @infratek:

        Or maybe let pfsense that it doesn't need to create NAT reflection as no public ip is configured here, only "internal" interfaces.

        Hmm, yes.  If pfSense could figure out that the destination IP address was part of an subnet on one of the "internal" (interface that doesn't have a gateway) it could skip the creation of NAT reflection rules for that port forward.

        Could almost be considered a bug, but is at least a worthy enhancement request.

        I don't know if either of these issues have been logged as tickets or not, may be worth searching for and entering.

        [1] OK, so it's not exactly the first 1000 port forwards in all cases.  For every port that gets forwarded, one NAT reflection rule will get created for each internal interface you have.  Since you have 4 internal interfaces, you will get 4 NAT reflection rules which limits you to 250 NAT reflected ports.

        1 Reply Last reply Reply Quote 0
        • K
          ktm_as
          last edited by

          Hi,
          I have a problem, i cant access website from inside LAN but can access if I use outside internet. I have assigned one of the Virtual ip with all ports forwarded to a single ip. but internal access to that ip with public ip is not working. I read forum and unchek disable NAT reflection also with no luck.Can u help me?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.