PfSense 2.1 NAT Reflection



  • Hello everyone - I am new to the forum, although I have been been a happy pfSense 1.2.3 user for several years.

    I recently decided to move to 2.1, and for better or worse I decided to do a complete reinstall rather than just upgrading.  I wanted to re-enter the configuration and rules from scratch - this may have been a big mistake.

    Simply put, I cannot seem to get NAT Reflection to work for the life of me. It all worked fine in 1.2.3, but even after carefully inspecting my old 1.2.3 backup XML file I can not see what I am doing wrong.  There seems to be some subtle differences in how the two versions handle reflection.

    So, here is my environment:

    I have three interfaces - WAN, LAN, and DMZ.  There are several servers in the DMZ that act as web or email servers.

    I configured each of my WAN static IPs (which are defined as Virtual IPs) with 1:1 NAT.  I made sure reflection was turned on in the settings, and I made sure the 1:1 NAT configuration had reflection enabled.

    The 1:1 seems to work fine from the WAN.  I can access the servers as expected, either from their WAN IP or their respective DNS URLS.  However I cannot see my servers from the LAN, whether I use the WAN IP, DNS name, or the DMZ IP address.  This is a classic use case for NAT reflection, as far as I can tell, but it is not working for me.

    Attached are some relevent screen shots.  I experimented with adding port-forward rules (the last two shown in the Port Forward list, but the do nothng useful.  The last LAN rule is the auto-generated NAT rule.

    Does anyone have any ideas?  I imagine it is some simple thing - most everyone is getting NAT Reflection to work in 2.1.

    Any help would be appreciated.












  • Same problem for me! do you find a solution???

    Thanks…


  • Banned

    And your FW rules permit the traffic??



  • @Supermule:

    And your FW rules permit the traffic??

    Yess, in my case, I have nearly exact configuration exposed by open poster and of course, the rules to permit traffic.

    Only NAT reflection doesn't worK!



  • I have exactly the same problem.  :-[

    I have several servers set up on my LAN interface with 1:1 mapping (using Virtual IPs on the WAN side).

    I was using 2.0.1 and NAT reflection worked fine.

    I did an in place upgrade to 2.1, and now I can't get NAT reflection to work at all.

    Help, please.



  • I solved this (at least for myself, I hope this helps others on the thread).  :D

    I had to add a firewall rule to explicitly allow traffic from LAN1 to LAN1 - once that rule was in place traffic for NAT reflection worked again.

    This rule was not required in my 2.0.1 configuration, and I thought the NAT reflection settings under System => Advanced would take care of this.



  • Thank you, davidpurdue!!  I've been trying to solve this for a while now.  It must have to do with the NAT+Proxy reflection mode.



  • Thanks davidpurdue!

    On 2.1.5 I was unable to make NAT reflection work until I made this explicit allow rule for LAN-to-LAN. I already had an allow for LAN-to-ANY so this never crossed my mind.


Log in to reply