Diagnosing NAT reflection problems?
-
How can I diagnose NAT reflection failures?
I already know it's set correctly in the GUI because it works some of the time. Then it will just … stop, and systems inside the firewall can no longer access forwarded services on the external interface, then I get a phone call from each user at the site. I scratch my head, boot the firewall (sometimes 2-3 times), and it works for a while.
Based on the number of questions related to NAT reflection, plus the number of people who have issues with NAT reflection, I'd like to see a (sticky!) step-by-step shell-based procedure for diagnosing the cause.
Maybe it's something I'm doing wrong. Maybe it isn't. Maybe it's something I can fix and document. It's not covered in my dog-eared copy of "pfSense The Definitive Guide…"!
-
Here is one HUGE, guaranteed cause of random NAT reflection failures:
Add RTP NAT forwarding for Jabber while the System Default is set to use reflection. That will do it.
(For those not familiar, RTP uses UDP ports in a vast range e.g., 10000-20000 – far too many for pfSense to manage reflection)
Perhaps it's a bad idea to have system-wide reflection? I'm not a novice (I'd like to think). I know that reflection can't be used for more than around 500 ports, and still I made this mistake. I may be an idiot, but I'm not new at it.
I just fixed my random reflection failure by disabling reflection for my RTP forwards.