Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 Nat Reflection – wrong firewall rules applied -- pfsense 2.0.1

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crzyfry
      last edited by

      Hi,

      Nat 1:1 Reflection is working so far. But it seems like pfsense does not apply any firewall rules
      –> All ports are reachable from the LAN using the public 1:1 natted IP from a server in the DMZ.

      Of course the firewall rules works correctly if I want to connect from WAN.

      Is this behavior intended? Or is this a bug or did I messed something up?
      Btw. I'm using pfsense 2.0.1

      Thx

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        The way in which NAT reflection is done means that the packets will never reach the WAN rules. If you want to block internal users, then you are going to have to write LAN rules to cover that or better, use a firewall on the server. Security is not really something to worry about on NAT reflection as a use can usually just use the internal address to circumvent any restrictions you put at the perimeter. The only way to truly block is to put a firewall on the server.

        1 Reply Last reply Reply Quote 0
        • C
          crzyfry
          last edited by

          Its true it circumvents any firewall restrictions I put on the WAN or LAN.
          So I think NAT Reflection is not useful, because it reflects nothing correctly.
          At least the 1:1 Nat Reflection is of none use at all.

          The only way maybe to put rules for the external IP to the LAN interface.
          But that is to much overhead, so 1:1 Nat Reflection is a total insecure thing.

          1 Reply Last reply Reply Quote 0
          • E
            Efonnes
            last edited by

            If you want to block access from local systems, you need to add rules for that.  The rules should reference the local IP of the server.  If you don't want to duplicate rules, use floating rules with "quick" turned on if you want them to match in the same order they usually do on other rule tabs, set direction to "in", and select all the interfaces you want the rules to apply to.

            1 Reply Last reply Reply Quote 0
            • C
              crzyfry
              last edited by

              thank you, I'll try the floating thing

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.