Not installing nat reflection rules.



  • Hi all,
    new-be question. When I try to update NAT-rules in system log I get the following:
    Oct 23 09:05:17 php: : Not installing nat reflection rules. Maximum 1,000 reached.
    Oct 23 09:05:17 last message repeated 17 times
    Oct 23 09:05:17 php: : Not installing nat reflection rules for a port range > 500
    Could somebody explain what it means?
    Thanks.

    Eugene.



  • I assume you activated NAT-reflection.
    It just says what you've been warned about when you activated NAT-reflection:

    Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

    I didnt try that but i think it might work if you make multiple NAT-entries each with a port-range smaller than 500.
    From the log-entry there is apparently a limit of 1000 reflection.
    Do you really need more than 1000 Ports reflected?



  • Thanks for answering. Could you explain what is NAT-reflection?
    I have number interfaces. I have several virtual IP-addresses and do outgoing mapping using them.
    Of course there are some NAT port forwardings and three 1:1 instances.

    Thanks,
    Eugene.



  • NAT reflection is:

    Server    int. Client
          |        /
          |      /
      pfSense
    (WAN-address)
          |
          |
      ext. Client

    You have a NAT mapping from your WAN-address to your Server.
    Your external Clients can access the server without problem.
    But if an internal Client wants to access the Server on the WAN-address (NOT directly) you need NAT-reflection.
    –> reflects a local request to the server.



  • Ok. Great. Thanks for the explanation.
    But again dummy question: where I configure (enable/disable) this nat-reflection?

    Do you really need more than 1000 Ports reflected?

    What do you mean by "port" here?

    Thanks,
    Eugene.



  • System –> Advanced --> Network Address Translation.

    well... a port is... hmmm... a port ^^"
    http://en.wikipedia.org/wiki/TCP_and_UDP_port



  • Thank you very much -)
    Especially I liked "port is a port" -)))


Log in to reply