NAT Reflection Port - Help



  • Hi,

    Currently, the port 9981 is being forwarded from the external IP (98.169.x.x:9981) to internal IP (10.0.0.50:9981)

    While inside a LAN, one of the server client requires an external IP address to connect to the server locally.  And, this client uses the port 9981 to connect to the server.  Note: all these action is happenning within a LAN.  And, this client does not have the capability to change the port number.  Looks like the port 9981 is hardwired into the program.

    Since this is all within a LAN (behind the router), what is happening now is that when I use the external ip (98.169.x.x) to connect to the server (10.0.0.1) through the client (10.0.0.50), the server log always show I am connecting from 10.0.0.1 (Gateway/Router).  And, when the server want to sent data back to the client, the data is being sent to 10.0.0.1 (Gateway/Router).

    I need to be able to login with (98.169.x.x:9981) in the LAN.

    I understand that NAT reflection does not work for large ranges (>500 ports).  This is why I am having this problem.  Now my question is would I define the port range specifically?  So, I would forward the external IP (98.169.x.x:9981) to internal IP (10.0.0.50:9981) inside the rounter?

    If not, how would I set up the "Split DNS" to accommodate the large port ranges?

    Thank you for looking.



  • @bczeon27:

    Since this is all within a LAN (behind the router), what is happening now is that when I use the external ip (98.169.x.x) to connect to the server (10.0.0.1) through the client (10.0.0.50), the server log always show I am connecting from 10.0.0.1 (Gateway/Router).  And, when the server want to sent data back to the client, the data is being sent to 10.0.0.1 (Gateway/Router).

    I need to be able to login with (98.169.x.x:9981) in the LAN.

    I seem to recall seeing this gateway as the source behavior on Linux-based routers, too. (when the client is on the same network as the server being forwarded to)  I'm not completely sure I'm remembering it right, though.



  • I think this behavior happens because reflection works by setting up processes on pfsense that accept the redirected connections to the WAN IP on the desired port - those processes then connect to the LAN host on the desired port and forward data back and forth.  Not sure there is a way to avoid that.  Split DNS is likely the answer then.



  • Would you be able to give me a reference as far as how I would set up a Split DNS in PFsense?



  • It isn't in pfsense.  Your hosts inside the LAN need to have hosts files (or access to an inside DNS server) that will serve up the internal IP.  Google for split DNS and you should get some helpful ideas.



  • Well you can do it with pfSense, if your clients use the pfSense as DNS server:
    –> http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F



  • Thank You guys.  I will try to work on that today.

    By the way, someone in the forum mention about changing the range of port in NAT Reflection.  How do  you achieve that in PFsense?



  • Split DNS would not work.  The program client only accept IP address for input.

    I guess I am stuck.  I will have to get a different router for solution?



  • Why can't you just plug in the internal IP address then?  What am I missing here?



  • This software requires the public IP.  Otherwise, the user can't connect correctly from the outside.

    When I use the external ip (98.169.x.x) to connect to the server (10.0.0.1) through the client (10.0.0.50), the server log always show I am connecting from 10.0.0.1 (Gateway/Router).  And, when the server want to sent data back to the client, the data is being sent to 10.0.0.1 (Gateway/Router).  I need to be able to login with (98.169.x.x:9981) in the LAN.

    All I need to do is be able to forward 9981 correctly with NAT Reflection.  Is it possible when Split DNS doesn't work?



  • But in the case in question, you are inside the LAN, so can't you use the internal IP in that situation?  As I said, given how NAT reflection works, I don't think this can work without the source being the pfsense.



  • Maybe I'm missing something, but port 9981 is not a large port range, it's a single port. The actual port number shouldn't matter at all. I don't understand why NAT Reflection as built-in to pfSense wouldn't work in this case. I've done it before (for under 10-15 reflected ports in my case for things like an Exchange server), the limit is either ranges containing over 500 ports, or reflecting more than 500 ports total, I'm not sure. But either way, I don't see why publicIP:9981 to privateIP:9981 reflecting automatically won't work if you turn on NAT Reflection. It should Just Work once it's on. Happy to be corrected if I'm wrong though.



  • David, you might got something there.  Maybe something that you have changed in the setting?

    This is a huge problem for me.  Before I use the NAT Reflection, when I type in the external ip in the browser, the browser will bring me to the router login page, which is 10.0.0.1.  This problem has been resolved with NAT Reflection.

    However, when I use the external ip (98.169.x.x) to connect to the server (10.0.0.1) through the client (10.0.0.50) Port 9981, the server log always show I am connecting from 10.0.0.1 (Gateway/Router).  And, when the server want to sent data back to the client, the data is being sent to 10.0.0.1 (Gateway/Router).



  • I think you misunderstood David.  He doesn't have a problem, he is saying nat reflection should work.  On the other hand, I think he missed that it isn't that reflection doesn't work, but that you want the real IP, not the firewall's.  However, as I've said already, I don't think you can get that to work, and you never answered my question about why you aren't using the internal IP when you are inside.



  • Dan, you are right, and good catch. I missed that it's the IP that's important. But port forwarding from outside the firewall in wouldn't show the firewall's WAN address either as the source. I agree I don't see a way for requests to appear to come from the original LAN or WAN IP with reflection. Split DNS would give you the LAN IP of the client as the source if it was usable, and wouldn't touch the firewall. I don't see a way to do what bczeon wants without custom code, but I'd consider it a bug in the software not the firewall :-)



  • Yeah, unfortunately, the individual processes doing the netcat is how pfsense does reflection.  I don't see anyone changing that anytime soon (then again, I haven't looked at any open tickets that might contradict that statement LOL).



  • I've actually worked on an alternate implementation with just pf rules.  It is currently being used when you enable reflection on 1:1 mappings on 2.0 beta (where it probably isn't reasonable to use inetd + netcat for every single port), but might be used for port forwards (or possibly both available for port forwards?) when I finish some things on it.

    That implementation does send the correct source IP when the server is on a different interface than the client (and later versions will when just on a different subnet).  However, I've tried setting the source IP to the WAN IP, but it just doesn't work.  I thought it might work, but the network stack (or pf?) must be blocking the reply since it is to a different IP address.  I have not yet tried playing around with the built-in firewall rules to see if there is some way to get it working.



  • isn't the issue that the web server is looking at the host address in the html header not the IP transmission info?

    In reality, the request could appear to be destined for any IP address but the destination address typed in the browser must be http://98.169.xxx.xxx
    In the same way you use host header info to host multiple websites on one server.

    If the web server were configured to look for a host name rather than an IP address you could use Split DNS. If the webserver cannot be configured to do this you must either use NAT reflection or possibly some sort of HTML proxy to rewrite the HTML header?


Log in to reply