PfSense 2.1 NAT Reflection

jswedberg

Hello everyone - I am new to the forum, although I have been been a happy pfSense 1.2.3 user for several years.

I recently decided to move to 2.1, and for better or worse I decided to do a complete reinstall rather than just upgrading.  I wanted to re-enter the configuration and rules from scratch - this may have been a big mistake.

Simply put, I cannot seem to get NAT Reflection to work for the life of me. It all worked fine in 1.2.3, but even after carefully inspecting my old 1.2.3 backup XML file I can not see what I am doing wrong.  There seems to be some subtle differences in how the two versions handle reflection.

So, here is my environment:

I have three interfaces - WAN, LAN, and DMZ.  There are several servers in the DMZ that act as web or email servers.

I configured each of my WAN static IPs (which are defined as Virtual IPs) with 1:1 NAT.  I made sure reflection was turned on in the settings, and I made sure the 1:1 NAT configuration had reflection enabled.

The 1:1 seems to work fine from the WAN.  I can access the servers as expected, either from their WAN IP or their respective DNS URLS.  However I cannot see my servers from the LAN, whether I use the WAN IP, DNS name, or the DMZ IP address.  This is a classic use case for NAT reflection, as far as I can tell, but it is not working for me.

Attached are some relevent screen shots.  I experimented with adding port-forward rules (the last two shown in the Port Forward list, but the do nothng useful.  The last LAN rule is the auto-generated NAT rule.

Does anyone have any ideas?  I imagine it is some simple thing - most everyone is getting NAT Reflection to work in 2.1.

Any help would be appreciated.

sap68

Same problem for me! do you find a solution???

Thanks…

Supermule

And your FW rules permit the traffic??

sap68

@Supermule:

And your FW rules permit the traffic??

Yess, in my case, I have nearly exact configuration exposed by open poster and of course, the rules to permit traffic.

Only NAT reflection doesn't worK!

davidpurdue

I have exactly the same problem.  :-[

I have several servers set up on my LAN interface with 1:1 mapping (using Virtual IPs on the WAN side).

I was using 2.0.1 and NAT reflection worked fine.

I did an in place upgrade to 2.1, and now I can't get NAT reflection to work at all.

Help, please.

davidpurdue

I solved this (at least for myself, I hope this helps others on the thread).  :D

I had to add a firewall rule to explicitly allow traffic from LAN1 to LAN1 - once that rule was in place traffic for NAT reflection worked again.

This rule was not required in my 2.0.1 configuration, and I thought the NAT reflection settings under System => Advanced would take care of this.

rootchick

Thank you, davidpurdue!!  I've been trying to solve this for a while now.  It must have to do with the NAT+Proxy reflection mode.

Oletho

Thanks davidpurdue!

On 2.1.5 I was unable to make NAT reflection work until I made this explicit allow rule for LAN-to-LAN. I already had an allow for LAN-to-ANY so this never crossed my mind.