NAT Reflection on 1:1 NAT



  • Hey,
    I've set up a couple of 1:1 NAT mappings, and while I can access them just fine from outside the network, they don't work from inside the network.

    What can I do to fix this?  Nat reflection seems to be working for my NAT port forwards, just not for my 1:1 mappings.

    Some details:

    Running on Alix - 1.2.3-RC3 built on Wed Oct 7 02:41:14 UTC 2009

    I have the 1:1 mappings set up with virtual IPs (Proxy ARP)


  • Rebel Alliance Developer Netgate

    1:1 NAT doesn't work with NAT reflection, only with normal port forwards.

    You would need to setup some kind of split DNS (check the doc wiki) and access by hostname instead of IP.



  • Is this planned for 2.0?


  • Rebel Alliance Developer Netgate

    I don't think so. I believe it is a limitation of pf.

    NAT reflection is an ugly hack, no matter how you do it. Split DNS is the way to do.



  • Ok.
    It is just that most other "simpler" products (like linksys VPN routers, etc) all support this just fine.  It would make my life easier rather than having to manage split DNS.
    In addition, my VPN server is set up with a 1-1 NAT.
    This means that if I use split DNS, clients (like laptops) that move from being on the network to off of it will inevitably be wrong at some point or another - either they will cache the "internal" address and then leave the network, or they will cache the "External" address and then come in to work.

    Any suggestions?



  • You can create a normal portforward on top of the 1:1 NAT.
    –> NAT reflection will work for this particular portforward.

    IMO the better way is to get rid of 1:1 NAT alltogether and use normal portforwards with aliases.
    If you use this alias in the firewall and NAT rules you only have to manage this alias.



  • @althornin:

    Ok.
    It is just that most other "simpler" products (like linksys VPN routers, etc) all support this just fine.  It would make my life easier rather than having to manage split DNS.

    I doubt any of those products is based on bsd, which uses pf (as has been mentioned, it is a limitation of pf.)  I'd like it if pf didn't have that restriction, but it does…



  • @GruensFroeschli:

    You can create a normal portforward on top of the 1:1 NAT.
    –> NAT reflection will work for this particular portforward.

    IMO the better way is to get rid of 1:1 NAT alltogether and use normal portforwards with aliases.
    If you use this alias in the firewall and NAT rules you only have to manage this alias.

    Ok, but Lets say I have (from ISP) a range of addresses:
    X.Y.Z.1-32

    X.Y.Z.1 is the gateway.

    X.Y.Z.2 is the WAN IP on pfsense. 
    LAN IP on pfsense is 192.168.13.1

    How can I port forward X.Y.Z.3:443 (for example) to an internal IP - say 192.168.13.34?
    Does this require the use of Virtual IPs?



  • Yes you can do that with VIPs.
    With advanced outbound rules you even can get the same functionality of 1:1 NAT where the traffic originating from the server appears as if from the VIP.



  • @GruensFroeschli:

    Yes you can do that with VIPs.
    With advanced outbound rules you even can get the same functionality of 1:1 NAT where the traffic originating from the server appears as if from the VIP.

    Can you give me an example?  What advanced outbound NAT settings would need to be set up to do that?  Because for VPN purposes, I'm certain that the traffic would need to come from the VIP.


Log in to reply