1:1 Nat Reflection – wrong firewall rules applied -- pfsense 2.0.1

  • Hi,

    Nat 1:1 Reflection is working so far. But it seems like pfsense does not apply any firewall rules
    –> All ports are reachable from the LAN using the public 1:1 natted IP from a server in the DMZ.

    Of course the firewall rules works correctly if I want to connect from WAN.

    Is this behavior intended? Or is this a bug or did I messed something up?
    Btw. I'm using pfsense 2.0.1


  • The way in which NAT reflection is done means that the packets will never reach the WAN rules. If you want to block internal users, then you are going to have to write LAN rules to cover that or better, use a firewall on the server. Security is not really something to worry about on NAT reflection as a use can usually just use the internal address to circumvent any restrictions you put at the perimeter. The only way to truly block is to put a firewall on the server.

  • Its true it circumvents any firewall restrictions I put on the WAN or LAN.
    So I think NAT Reflection is not useful, because it reflects nothing correctly.
    At least the 1:1 Nat Reflection is of none use at all.

    The only way maybe to put rules for the external IP to the LAN interface.
    But that is to much overhead, so 1:1 Nat Reflection is a total insecure thing.

  • If you want to block access from local systems, you need to add rules for that.  The rules should reference the local IP of the server.  If you don't want to duplicate rules, use floating rules with "quick" turned on if you want them to match in the same order they usually do on other rule tabs, set direction to "in", and select all the interfaces you want the rules to apply to.

  • thank you, I'll try the floating thing

Log in to reply