RESOLVED: 2.0.2 - NAT reflection does not work on same internal iface

tata_tulen

Hi all,
I've pfSense 2.0.2 with multi-LAN (6) and multi-WAN (2) interfaces. I use just and only 1:1 NAT.

I've NAT reflection turned on for both port forward and 1:1 NAT, however I cannot communicate from one internal server to another if both are the same subnet (and routed via the same pfSense interface). NAT reflection does work between servers routed via two differenet pfSense interfaces.

I need it for the correct SMTP traffic - the servers are two dedicated Postfixes with tens and thunders of smtp domains (so DNS split method or transport mapping on Postfix is not usable in this case).

Is there any way to make two servers on the same subnet and routed via the same pfSense interface reachable for each other using public IP?

Thanks!
-tt-

jimp

What exact options do you have checked/unchecked in the NAT reflection setup?

It's always best to use the private IPs if you're inside, though, NAT reflection can get a little ugly and have unintended side effects.

tata_tulen

Hello jimp,

I've unchecked 'Disable NAT Reflection for port forwards' and 'Disable NAT Reflection for 1:1 NAT' options in System -> Advanced. All 1:1 NAT rules have 'use system default' NAT reflection option selected.

With tcpdump on internal interface I can see this packets:

21:23:45.874475 IP 192.168.100.5.51889 > a.b.c.27.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286651239 ecr 0,nop,wscale 5], length 0
21:23:45.874524 IP 192.168.100.5.51889 > 192.168.100.38.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286651239 ecr 0,nop,wscale 5], length 0
21:23:48.874061 IP 192.168.100.5.51889 > a.b.c.27.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286651989 ecr 0,nop,wscale 5], length 0
21:23:48.874082 IP 192.168.100.5.51889 > 192.168.100.38.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286651989 ecr 0,nop,wscale 5], length 0
21:23:54.874297 IP 192.168.100.5.51889 > a.b.c.27.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286653489 ecr 0,nop,wscale 5], length 0
21:23:54.874324 IP 192.168.100.5.51889 > 192.168.100.38.25: Flags [s], seq 1228482488, win 5840, options [mss 1460,sackOK,TS val 1286653489 ecr 0,nop,wscale 5], length 0

The [a.b.c.27] is the external IP address of [192.168.100.38].

I'd like to use internal IP, but both DNS split and transport mapping in postfix is unable to manage manually - so I have to use NAT reflection...[/s][/s][/s][/s][/s][/s]

jimp

Make sure you check "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from."

tata_tulen

Damned, you got it - I had it unchecked… I've checked it and it seems to work as expected!

Thanks!