Problem with Connecting to 1:1 NAT IP from LAN
Ever since I installed my pfSense firewall last week I have been having problems connecting to my server in house through its external IP/DNS Name
I am running pfSense 1.2.3 on a Alix 2D3
My LAN side is 192.168.99.0
My WAN is PPPoE (DSL) and gets a dynamic IP
I have my server, 192.168.99.2 1:1NAT'd to a static IP, 126.96.36.199
I have an A record, server.domain.com pointed to 188.8.131.52
I have a few port forwards to the server, port 80, 443
From outside I can connect to the HTTP and HTTPS server fine by domain name or IP
The problem is when I am on my LAN on the indide of the pfSense, 85% of the time I cannot connect to server.domain.com or 184.108.40.206, it just times out, I can though however connect to 192.168.99.2 or the internal dns name. On very few occations it will go through and connect for a small amount of time, then after a while it will just time out and not connect.
Anyone know whats going on? I did not have these problems with my SonicWall TZ170 that the pfSense replaced
anyone have any ideas?
I think the problem is that 1:1 NAT doesn't get along with NAT reflection. I would just use the port forward rules and everything should work fine.
Here is a link to a pfSense Documentation article about the problem.
Hope this helps.
Efonnes last edited by
The extra rules that the NAT reflection feature adds when enabled are only added for port forwards.
It seems to work if I keep the 1:1 nat and then instead of making a "Firewall: Rules" for port 80 I make a "Firewall:NAT: Port Forward" rule instead. What is the difference between the 2? If I make a "Firewall:NAT: Port Forward" do I need to also make a "Firewall: Rules" entry? These 2 options seem to do the same thing? Can anyone explain?
Port forward rules override 1:1 NAT.
Port forward rules map a external port to an internal systems IP and port.
Firewall rules grant or deny access based on criteria.
Both are required for a port forward rule to work. The port forward rule creates the mapping and the firewall rule allows packets that match to pass on to the port forward.
I think the reason they seem to do the same is because when you create a port forward rule by default an option is selected to create a corresponding firewall rule.
so do you think that a firewall rule and a nat port forward rule of the same thing would fix my problem that I described in my first post?
Yes. All you should have to do is create a port forward rule and make sure "Auto-add a firewall rule to permit traffic through this NAT rule" at the bottom is selected(it is by default).
Thanks! so far so good
Efonnes last edited by
The reason that works is that NAT reflection is only supported for port forwards, which is why you need the port forwards to access them locally in the first place. I'm working on something that would also work for 1:1 NAT rules (I've already got it figured out and just need to finish coding it), but I don't know whether it will be included in 2.0 (or any other version). I may make it available as a package for 2.0 at least, and may even backport it as a package for 1.2.3. If someone (or multiple people) wants to sponsor it, I might be more likely to consider backporting it to 1.2.3.