PFSense 2.1 Release - NAT Reflection not working



  • I have PFSense 2.1 Release installed. I have 2 PFSense setup with 2 adapters (WAN & LAN). I have configured port forwarding setup to forward port 25 from the WAN IP address to an internal address. The port forwarding works fine. I am trying to get NAT Reflection working so that I can hit <external ip="">:25 and reach <internal ip="">:25 but it is not working. I have made sure to go to the System-Advanced-Firewall/NAT and set NAT Reflection mode to Enable (NAT + Proxy) but have also tried it as Enable (Pure NAT). Neither option seems to fix it. I also have Enable automatic outbound NAT for Reflection checked. I have also tried altering the NAT Forwarding rule and chancing the NAT reflection field from "Use system default" to "Enable (NAT + Proxy)" but it still doesn't work.

    Does anyone have any ideas on how to get this to work? Please don't say Split DNS, I do not want to do split DNS, I want NAT Reflection to work.

    Do you need more information?

    Thanks</internal></external>



  • Can you please show us a screen shot of your NAT Rule and the associated firewall rules?


  • Banned

    WFM. As said above, not enough information here.



  • Here are the pictures of the NAT rules and Firewall rules as well as the edit screen of the Port Forward and Firewall sections for the Port 25 rule.

    ![Firewall Rules.PNG](/public/imported_attachments/1/Firewall Rules.PNG)
    ![Firewall Rules.PNG_thumb](/public/imported_attachments/1/Firewall Rules.PNG_thumb)
    ![Firewall Rule 25.PNG](/public/imported_attachments/1/Firewall Rule 25.PNG)
    ![Firewall Rule 25.PNG_thumb](/public/imported_attachments/1/Firewall Rule 25.PNG_thumb)
    ![Port Forwards.PNG](/public/imported_attachments/1/Port Forwards.PNG)
    ![Port Forwards.PNG_thumb](/public/imported_attachments/1/Port Forwards.PNG_thumb)
    ![Port Foward 25.PNG](/public/imported_attachments/1/Port Foward 25.PNG)
    ![Port Foward 25.PNG_thumb](/public/imported_attachments/1/Port Foward 25.PNG_thumb)



  • Try the NAT rule with NAT reflection (NAT + Proxy)



  • Just tried that but still no good.



  • Question - Did you ever have this working before?



  • No, I started with 2.1 RC (I am new to PFSense) and it didn't work. I hoped the Release version would fix it but it didn't.



  • If you go into a command tool somewhere and type:

    telnet smtp.aol.com 25

    What happens?



  • It waits then times out, same as when I try to test my port-forward using the external address when inside the network (NAT Reflection).



  • You port 25 is blocked by ISP I think.

    I think you are wasting your time, but to be sure, try to check against more mail servers.



  • At the moment the ISP is blocking the port (getting that fixed with ISP shortly), but that is not the point. I am trying to access my internal server via my External address. This should not use the ISPs network, just my internal network, and my PFSense router.

    I should also mention that I am having this problem with NAT Reflection with other ports that have the same configuration but are not blocked by my ISP. I have an exchange server with active sync setup. My cell phone can access my email server when using the cell network but if I am onsite connected to wireless then I can no longer connect to my server. So the problem does appear to be caused by NAT Reflection not working.



  • I'm not sure - Thing is it works perfectly for me and most people so I'm thinking ite something unique to either your network, host, or something.

    Is this a real machine?  VM?



  • It is a VM. One other thing I should mention is that the LAN side is a /24 network but has a route to additional subnets that are reachable through it. So it looks like this:

    WAN Side –--- PFSense -----LAN Network-----Router----Other Subnets including DMZ

    The router will allow the packets to come in from the pfsense box and allows the packets from the server subnet to the PFSense box so it is not blocking anything. The only thing I can think of is that I either have a setting wrong in PFSense or perhaps the NAT Reflection only allows packets to or from the actual LAN network and not the subnets beyond it like the DMZ. If that is the case, is there a workaround or setting change I can make so that it will work the way I want.

    Note: Before I switched to PFSense, I used a WRT54GL running DD-WRT with the same setup and it worked fine as long as I turned on NAT Reflection. When I had NAT Reflection off on the DD-WRT I had the same problems I have now with PFSense. I didn't make any other changes to the switches or routers, just swapped out the WRT54G with a PFSense VM.



  • I don't have the answer for that one.  Is your current version of pfsense 64 bit?



  • Yes, 64-bit. I also did another test and enabled the Windows 7 Simple TCP/IP Services so that I would get a "quote of the day" if I telnet to port 17 then setup a port-forward and enabled the NAT-Reflection. I can get to that port from outside the network and from inside the network using the internal IP address but still cannot get to it from inside via the External IP. so I know for sure the ISP has nothing to do with it. I also tried putting the Windows machine on the actual LAN subnet and tested again but it still does not work (ruling out the router and additional subnets).



  • Please backup your settings, download the 32bit version install it, restore your settings and try all the same things again.
    This is an experiment.  I've encountered several recent examples of things working fine in 32bit but not in 64bit.
    Please humour me.



  • Tried 32-bit version, still did not work.



  • Well - Thats good, for 64bit version anyway.

    I really don't know at this point.  Question.

    Can you post your firewall rules for the WAN and LAN?

    (Never mind - I'm an idiot.  I see them)



  • I've seen that gateways have been renamed or changed mysteriously upon upgrade by some.
    In one case it just killed his RRD data.

    In another case the gateway inserted its self into the openvpn and WAN firewall rules.

    Could some sort of gateway rename/change/insertion have happened to you?

    I'm reaching…



  • The gateways all seem to be OK. Is there a specific thing I should check? I had this problem before the upgrade as well and that was a new install.



  • As you said earlier, it may be a problem with the way you configured your DMZ.  I'm out of swags at this point.
    Thats the old Scientific Wild-Ass Guess
    or in my case the Super Wild-Ass Guess

    Not the new urban dictionary hijacked swag.


  • Banned

    Is it possible to have remote access to the thing?



  • No, sorry.



  • You can use teamviewer to remote in if its installed on a connected computer.


  • Banned

    It would be a lot easier to see whats wrong since I have NAT reflection here and its working fine.



  • I would be open to using teamviewer or similar to provide access while I watch but I can't just hand out passwords for remote access, especially to people I don't actually know.



  • You should sit and watch and type all the passwords.  Thats  what is good about teamviewer…  Otherwise I'd just suggest he SSH into your pfsense, proxy back a port and handle it via proxy, which is not smart for you unless you trust alot.


  • Banned

    Exactly the way I normally handle remote support to external clients.

    @Daniel.Rollins:

    I would be open to using teamviewer or similar to provide access while I watch but I can't just hand out passwords for remote access, especially to people I don't actually know.



  • It would be sort of hard to pull a fast one with someone watching every move unless they didn't know anything about the box at all. :P


  • Banned

    Depending on the setup…. :)

    I dont think it would be that timeconsuming. Maybe a couple of hours maximum.



  • When would you be available to do a Team Viewer session and try to figure this out?


  • Banned

    What part of the world are you in Daniel?



  • Utah (Mountain Time) Currently UTC-6.


  • Banned

    Perfect. Catch you on PM.


  • Banned

    Problem solved!



  • I'm dying with curiosity - What was the problem?



  • On the LAN interface configuration under Static IPV4 Configuration, the gateway should be set as none but I had it set to an internal address on my network. I guess it confused PFSense or something. The fix was to set the gateway back to "none".

    Thanks to Supermule for solving that one!



  • Really?  I never would have guessed:

    Second page of thread, halfway down:

    "I've seen that gateways have been renamed or changed mysteriously upon upgrade by some.
    In one case it just killed his RRD data.

    In another case the gateway inserted its self into the openvpn and WAN firewall rules.

    Could some sort of gateway rename/change/insertion have happened to you?

    I'm reaching…"

    haha - But yeah.  I think supermule would have known it anyway.

    I'm going to put the words "please ignore this" at the bottom of all my posts from now on.    ;D


  • Banned

    It was a pleasure working with Daniel and nice to meet a fellow pfsense'r!! :)


Log in to reply