Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.1 NAT Reflection

    Scheduled Pinned Locked Moved NAT
    8 Posts 6 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jswedberg
      last edited by

      Hello everyone - I am new to the forum, although I have been been a happy pfSense 1.2.3 user for several years.

      I recently decided to move to 2.1, and for better or worse I decided to do a complete reinstall rather than just upgrading.  I wanted to re-enter the configuration and rules from scratch - this may have been a big mistake.

      Simply put, I cannot seem to get NAT Reflection to work for the life of me. It all worked fine in 1.2.3, but even after carefully inspecting my old 1.2.3 backup XML file I can not see what I am doing wrong.  There seems to be some subtle differences in how the two versions handle reflection.

      So, here is my environment:

      I have three interfaces - WAN, LAN, and DMZ.  There are several servers in the DMZ that act as web or email servers.

      I configured each of my WAN static IPs (which are defined as Virtual IPs) with 1:1 NAT.  I made sure reflection was turned on in the settings, and I made sure the 1:1 NAT configuration had reflection enabled.

      The 1:1 seems to work fine from the WAN.  I can access the servers as expected, either from their WAN IP or their respective DNS URLS.  However I cannot see my servers from the LAN, whether I use the WAN IP, DNS name, or the DMZ IP address.  This is a classic use case for NAT reflection, as far as I can tell, but it is not working for me.

      Attached are some relevent screen shots.  I experimented with adding port-forward rules (the last two shown in the Port Forward list, but the do nothng useful.  The last LAN rule is the auto-generated NAT rule.

      Does anyone have any ideas?  I imagine it is some simple thing - most everyone is getting NAT Reflection to work in 2.1.

      Any help would be appreciated.

      NAT-1to1-a.png
      NAT-1to1-a.png_thumb
      NAT-1to1-9-a.png
      NAT-1to1-9-a.png_thumb
      NAT-PortForward-a.png
      NAT-PortForward-a.png_thumb
      LAN-Rules-a.png
      LAN-Rules-a.png_thumb
      Settings-NAT-a.png
      Settings-NAT-a.png_thumb

      1 Reply Last reply Reply Quote 0
      • S
        sap68
        last edited by

        Same problem for me! do you find a solution???

        Thanks…

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          And your FW rules permit the traffic??

          1 Reply Last reply Reply Quote 0
          • S
            sap68
            last edited by

            @Supermule:

            And your FW rules permit the traffic??

            Yess, in my case, I have nearly exact configuration exposed by open poster and of course, the rules to permit traffic.

            Only NAT reflection doesn't worK!

            1 Reply Last reply Reply Quote 0
            • D
              davidpurdue
              last edited by

              I have exactly the same problem.  :-[

              I have several servers set up on my LAN interface with 1:1 mapping (using Virtual IPs on the WAN side).

              I was using 2.0.1 and NAT reflection worked fine.

              I did an in place upgrade to 2.1, and now I can't get NAT reflection to work at all.

              Help, please.

              1 Reply Last reply Reply Quote 0
              • D
                davidpurdue
                last edited by

                I solved this (at least for myself, I hope this helps others on the thread).  :D

                I had to add a firewall rule to explicitly allow traffic from LAN1 to LAN1 - once that rule was in place traffic for NAT reflection worked again.

                This rule was not required in my 2.0.1 configuration, and I thought the NAT reflection settings under System => Advanced would take care of this.

                1 Reply Last reply Reply Quote 0
                • R
                  rootchick
                  last edited by

                  Thank you, davidpurdue!!  I've been trying to solve this for a while now.  It must have to do with the NAT+Proxy reflection mode.

                  1 Reply Last reply Reply Quote 0
                  • O
                    Oletho
                    last edited by

                    Thanks davidpurdue!

                    On 2.1.5 I was unable to make NAT reflection work until I made this explicit allow rule for LAN-to-LAN. I already had an allow for LAN-to-ANY so this never crossed my mind.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.