4. PfSense 2.1 NAT Reflection

PfSense 2.1 NAT Reflection

  • J

    Hello everyone - I am new to the forum, although I have been been a happy pfSense 1.2.3 user for several years.

    I recently decided to move to 2.1, and for better or worse I decided to do a complete reinstall rather than just upgrading.  I wanted to re-enter the configuration and rules from scratch - this may have been a big mistake.

    Simply put, I cannot seem to get NAT Reflection to work for the life of me. It all worked fine in 1.2.3, but even after carefully inspecting my old 1.2.3 backup XML file I can not see what I am doing wrong.  There seems to be some subtle differences in how the two versions handle reflection.

    So, here is my environment:

    I have three interfaces - WAN, LAN, and DMZ.  There are several servers in the DMZ that act as web or email servers.

    I configured each of my WAN static IPs (which are defined as Virtual IPs) with 1:1 NAT.  I made sure reflection was turned on in the settings, and I made sure the 1:1 NAT configuration had reflection enabled.

    The 1:1 seems to work fine from the WAN.  I can access the servers as expected, either from their WAN IP or their respective DNS URLS.  However I cannot see my servers from the LAN, whether I use the WAN IP, DNS name, or the DMZ IP address.  This is a classic use case for NAT reflection, as far as I can tell, but it is not working for me.

    Attached are some relevent screen shots.  I experimented with adding port-forward rules (the last two shown in the Port Forward list, but the do nothng useful.  The last LAN rule is the auto-generated NAT rule.

    Does anyone have any ideas?  I imagine it is some simple thing - most everyone is getting NAT Reflection to work in 2.1.

    Any help would be appreciated.










    0
  • S

    Same problem for me! do you find a solution???

    Thanks…

    0
  • S
    Banned

    And your FW rules permit the traffic??

    0
  • S

    @Supermule:

    And your FW rules permit the traffic??

    Yess, in my case, I have nearly exact configuration exposed by open poster and of course, the rules to permit traffic.

    Only NAT reflection doesn't worK!

    0
  • D

    I have exactly the same problem.  :-[

    I have several servers set up on my LAN interface with 1:1 mapping (using Virtual IPs on the WAN side).

    I was using 2.0.1 and NAT reflection worked fine.

    I did an in place upgrade to 2.1, and now I can't get NAT reflection to work at all.

    Help, please.

    0
  • D

    I solved this (at least for myself, I hope this helps others on the thread).  :D

    I had to add a firewall rule to explicitly allow traffic from LAN1 to LAN1 - once that rule was in place traffic for NAT reflection worked again.

    This rule was not required in my 2.0.1 configuration, and I thought the NAT reflection settings under System => Advanced would take care of this.

    0
  • R

    Thank you, davidpurdue!!  I've been trying to solve this for a while now.  It must have to do with the NAT+Proxy reflection mode.

    0
  • O

    Thanks davidpurdue!

    On 2.1.5 I was unable to make NAT reflection work until I made this explicit allow rule for LAN-to-LAN. I already had an allow for LAN-to-ANY so this never crossed my mind.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy