NAT Reflection Auto Outbound NAT

planedrop

Hoping I can get some clarification about exactly what is going on with this hairpin NAT setup I have going, everything is working as expected but I feel like it shouldn't.....

So in short I have a web server that is on another VLAN, due to reasons I can't use split DNS, so I made sure NAT Reflection is setup with Pure NAT, then added a rule on the main LAN address to allow connections to that web server on the VLAN.

Everything works, but here is where I'm confused, I do NOT have "Enable automatic outbound NAT for Reflection" checked, so shouldn't this rule not work? As in, shouldn't the web server be trying to reply back from it's local IP which would break this entire connection?

In another similar setup with pfSense I have basically the same configuration but I have this checked, and that works fine too, seemingly no difference.

planedrop

@planedrop Wait, maybe I have this figured out, is this quite literally just because they are on different VLANs?

Basically, the server has no knowledge of the other VLAN so it just sends it back out the default gateway and then the NAT rules happen as they should, BUT if things were on the same VLAN the server would attempt responding back to that local IP instead of through the firewall, which would break the connection.

So then this option also NATs the source address to that of the firewalls address on that VLAN so the reply from server routes back through and can be NATed again?

SteveITS

@planedrop I’m actually not sure where that setting is without looking. :) Outbound NAT is typically choosing the public IP used towards the Internet.

The port reflection will cause the router to forward towards the server. The server will reply to its gateway because the source IP isn’t in its subnet. The router forwards the reply packet to the LAN IP because it knows where that subnet is. Outbound NAT shouldn’t be involved here.

Why not split DNS? pfSense has a host override in DNS so you could specify the VLAN IP of the server there.

planedrop

@SteveITS This is the setting within the Advanced > Firewall & NAT settings, but I think I have a proper understanding of it now, with or without this setting enabled, services on another subnet will still work just fine, but if the server/service is on the SAME subnet as a device, then you have to have this checked or the server will just ARP and respond directly to the client.

As for split DNS it's a long story, the AD environment this is running in makes splitDNS not an option.

SteveITS

@planedrop If the device and server (both IPs) are on the same network packets do not go through the router.

Re AD, Windows DNS can forward to pfSense, or pfSense can have a domain override for the AD zone.

planedrop

@SteveITS Correct, but this is in relation to NAT reflection, so the IP is being accessed externally.

I just didn't understand this setting until now. All it's doing is NATing the source IP to the routers IP on that interface, this way if the client tries to connect to the web server's public IP, but the web server is on the same subnet as the client, the web server itself sees the connection coming from the routers default gateway IP, this way it responds back to the router instead of trying to direct connect to the client (since they're on the same layer 2), so that the NAT reflection can NAT things back like it should.

I was trying to figure out why NOT having this setting enabled under Advanced > Firewall & NAT was still working, but that was simply because the NATing of the source was not necessary since the web server is on it's own subnet, so the web server is going to reply to the default gateway on it's subnet regardless.

As for split DNS that is exactly what I would normally do, but this is a bit more complex of an environment, but NAT reflection works perfectly in the meantime, I was just trying to be sure I fully understood the settings I was looking at.

All makes sense now though! Appreciate the replies here.