Disable NAT reflection for some NAT rules



  • Hello,

    Do you know if it's possible to disable NAT reflection just for some specific NAT rules and let it enabled for all the other rules ?

    Another related question is : How does pfsense decide if a reflection NAT rule should be created for an interface ? What is the criteria to consider an interface as internal ?

    To give you the context, I'm running a Dual Wan config (interface WAN and OPT1 are my internet connections) with 4 internal LANs (LAN, OPT2, OPT3, OPT4).

    I have enabled NAT reflection to reach WAN/OPT1 public's ips from LAN/OPT2/OPT3/OPT4.

    This works fine.

    My issue is with the following NAT ruleset. I need to do source routing port forwarding.
    The goal is to redirect outgoing traffic to "any" on port 9080/tcp to internal servers with different ips, depending where the traffic is coming from.

    I have configured the following in the port forward section (em1=LAN, em2=OPT2, em3=OPT3, em4=OPT4).

    rdr on em1 proto tcp from any to any port { 9080 } -> 192.168.128.70 (if traffic if coming from em1 to any on port 9080, redirect it to 192.168.128.70)
    rdr on em2 proto tcp from any to any port { 9080 } -> 192.168.129.83 (if traffic if coming from em2 to any on port 9080, redirect it to 192.168.129.83)

    Without NAT reflection, this does work.
    With NAT reflection, the following is created just after the 1st NAT rule :

    Reflection redirects

    rdr on $lan proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19084
    rdr on $OPT2 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19085
    rdr on $OPT3 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19086
    rdr on $OPT4 proto tcp from any to any port { 9080 } -> 127.0.0.1 port 19087

    And from there, my second NAT rule is useless as from now, every connection to "any" on port "9080" matches the 1st NAT rules and is redirected to 192.168.128.70.
    That's why I'd like do disable NAT reflection only for this perticular case.
    Is it possible ?
    Or maybe let pfsense that it doesn't need to create NAT reflection as no public ip is configured here, only "internal" interfaces.

    Thanks for your help.



  • @infratek:

    Do you know if it's possible to disable NAT reflection just for some specific NAT rules and let it enabled for all the other rules ?

    Not currently, but seems like a nice feature to add for v2!   ;)

    @infratek:

    Another related question is : How does pfsense decide if a reflection NAT rule should be created for an interface ? What is the criteria to consider an interface as internal ?

    It looks for a gateway address on the interface.  If it has a gateway interface, it won't set up a nat reflection rule on it.

    pfSense attempts to set up port forwarding rules for the first 1000[1] rules it sees.  So I guess, you could set up a bogus port forwarding rule that spans a bunch of ports, then any rules below that won't have a port forwarding rule created for it.

    @infratek:

    Or maybe let pfsense that it doesn't need to create NAT reflection as no public ip is configured here, only "internal" interfaces.

    Hmm, yes.  If pfSense could figure out that the destination IP address was part of an subnet on one of the "internal" (interface that doesn't have a gateway) it could skip the creation of NAT reflection rules for that port forward.

    Could almost be considered a bug, but is at least a worthy enhancement request.

    I don't know if either of these issues have been logged as tickets or not, may be worth searching for and entering.

    [1] OK, so it's not exactly the first 1000 port forwards in all cases.  For every port that gets forwarded, one NAT reflection rule will get created for each internal interface you have.  Since you have 4 internal interfaces, you will get 4 NAT reflection rules which limits you to 250 NAT reflected ports.



  • Hi,
    I have a problem, i cant access website from inside LAN but can access if I use outside internet. I have assigned one of the Virtual ip with all ports forwarded to a single ip. but internal access to that ip with public ip is not working. I read forum and unchek disable NAT reflection also with no luck.Can u help me?


Locked