Weird NAT reflection with a webserver behind NAT

  • Okay, I may have chosen a bit strange name for this thread, but here's the deal. I've recently swapped my home linksys WRT54GL router with an Alix-2D13 and installed pfSense 1.2.2 embedded on it to give it a try. I've managed to set up the main configuration parts for now (interfaces, pppoe, dhcp, port forwards, nat), and the router is in a working state. But there's one thing about the router that's misbehaving. I'm not sure whether this is a misconfiguration, or a bug in pfSense (I think the former is more likely).

    Anyway, I host a HTTP webserver on my home network and I expect it to be reachable from any external IP address as well as any internal LAN address. The webserver is normally accessible by a domain i.e. I have set up a single port forwarding rule on the WAN interface that forwards any TCP request with dest port 80 to the internal IP address of the webserver. Obviously, this worked fine and the webserver became reachable to the outside world. Now the problem became apparent when I tried to access the webserver by domain name from my internal LAN - it didn't work. I solved this problem by enabling NAT reflection, and the whole thing started to work properly… with one side effect.

    Here's what happens. The NAT reflection seems to have one side effect. Each time I try to connect from my LAN to an external HTTP server by a DNS that doesn't exist i.e. instead of actually displaying a "server not found" error I get rerouted to my local webserver that displays a forbidden message: "You don't have permission to access / on this server". My server logs confirm the connections. Ironically, the .com domains seem to trigger the proper "server not found" errors, but every other type (.net, .org, .us, .eu, .cn, etc) seems to forward me to my local httpd server. Could this be because my own domain also ends with a .com? When I turn off nat reflection, I get proper "server not found" errors for all domains, but I cannot access my own web server...

    Any ideas what's causing it and how to fix?


  • Presumably, your clients in the LAN are configured to use the pfSense box as a DNS server.
    If so, turn off NAT reflection and do the following:

    Go to:  Services -> DNS Forwarder

    Manually add a Host and set the Domain to the domain name.  For the IP address, set it to the webserver's internal IP.

    This will redirect your LAN clients to the internal IP of the webserver when they request it's domain name.  External requests are not affected since they don't use your pfSense box as a DNS lookup server.
    Note that any clients on the network that don't use the pfSense box as a primary DNS server are also unaffected by this change.

  • Yes, the pfSense box is a DHCP and a local DNS server. While your suggestion did not work for me, I think I know what's wrong though. I connected to the network with my linux laptop and did some debugging. It turns out that the DHCP server passes some extra domain stuff to their DHCP clients upon registration. I did a cat /etc/resolv.conf file and got:


    If I do a nslookup of an existing domain, it returns a proper IP address while doing the same for a non-existing domain i.e. returns, and the IP is that of my router WAN interface. Manually removing the domain and search lines from resolv.conf seems to fix the problem. With nat reflection turned on I get proper errors now.

    Now I just have to figure out how to fix the DHCP not to serve those domain lines.

Log in to reply