Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Reflection Issue w/ LAN Host

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 122 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mgc6288
      last edited by

      Hosting websites and decided it was time to upgrade my pfSense box. Damn has this been painful. Probably just one little click that I am just not able to find.

      Websites are viewable from the outside but from within the LAN they are not. The old pfSense box I simply enabled Pure NAT and checked NAT Reflection for 1:1 NAT and Automatic Outbound NAT for Reflection. All good.

      This time around it isn't working. Technicaly, I can select NAT + proxy and it works but I'd like to know what I am missing and place back in Pure NAT.

      I've gone through my DHCP, DNS, Rules, and NAT (Port Forward & Outbound) settings a million times in comparison. I'm just not seeing it.

      Any idea what would block Pure NAT from working but would be bypassed when NAT + proxy is enabled? Thank you.

      1 Reply Last reply Reply Quote 0
      • J Offline
        Jaritura
        last edited by

        @mgc6288

        That behavior points to how pfSense handles hairpin connections. When internal hosts resolve a public FQDN to the external address, the return traffic never leaves the LAN segment, so without a proper DNS override it gets dropped.

        In Pure NAT mode, pf builds a loopback path using the outbound NAT table. If the LAN interface doesn’t have a matching outbound translation or hairpin NAT isn’t bound to that interface, you’ll see the traffic sent to lo0 or simply fail. That’s why switching to NAT + proxy appears to work, because the proxy intercepts before routing.

        Add a host override in DNS Resolver so LAN clients resolve to the internal IP instead of the public one, or ensure there is an outbound NAT entry for your LAN subnet that matches the external IP you are reflecting.

        https://docs.netgate.com/pfsense/en/latest/nat/reflection.html https://pingmynetwork.com/network/ccna-200-301/nat-overload-cisco

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          mgc6288 @Jaritura
          last edited by

          @Jaritura Thank you for your reply! I replicated the settings from my former pfsense box to the new one and confirmed with what you said above. Im still missing something.

          On both systems I Pure NAT, Enable NAT Reflection 1:1, and Enable automatic outbound NAT for Reflection selected.

          Firewall -> Rules -> WAN has the required ports forwarded
          IPV4 TCP/UDP * * Server IP 80 * none

          Firewall -> NAT ->Port Forward the same required ports are forwarded
          WAN TCP/UDP * * WAN address 80 Server IP 80

          Firewall -> NAT -> Outbound I have both set to Automatic outbound NAT rule generation mode along with two Mappings for each subnet:

          WAN "Network subnet" * * 500 WAN address * (Not sure why this is here? Not knowingly using IPSec)
          WAN "Network subnet" * * * WAN address *

          Neither is using a DNS Resolver

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.