• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT reflection with name instead of IP?

Scheduled Pinned Locked Moved NAT
5 Posts 2 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mmccurdy
    last edited by Dec 13, 2013, 11:05 AM

    Hi all, new to pfSense, pretty psyched to be trying this out.  Most things seem to be working great so far, but I'm having some issues with NAT reflection and the stuff I'm reading is making me nervous that my use case may not actually be supported.  I'd love a quick sanity check that it should be and I'll be happy to keep hacking away at it.

    Here's my situation, which I think should be fairly common, at least for home use:

    • WAN connection is straight DHCP without static IP.  Using no-ip dynamic DNS which has been solid for six months or so, no issues.
    • I have a number of ports mapped through regular NAT port forwards, as here:

    • I have some DHCP IP reservations for various hosts on my network, as here:

    • I would like to be able to use the same DNS name/port to connect to these services when I'm on my local network and from outside.  For example, I'd like a VNC connection to my.ddns.net:5900 to properly resolve and connect to 192.168.1.50:5900 regardless of where I am.

    I've tried various settings under System:Advanced:Firewall and NAT:Network Address Translation, including all three NAT Reflection modes and all combinations (I think!) of the checkboxes in that section to no avail.

    Does someone know whether this scenario should in fact work with pfSense?  This particular aspect was working ok on my previous off-the-shelf router (an Asus) so in the abstract it seems technically feasible.

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by Dec 13, 2013, 2:01 PM

      I thought that the NAT reflection should work in some combination - but I don't use that myself.
      One way to do it without NAT reflection is to add Host Overrides in the DNS Forwarder, e.g. my.ddns.net = 192.168.1.50 - then when you are on the local LAN inside pfSense the name resolves directly to the local IP address, when you are outside on the big bad internet it resolves to your public IP.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • M
        mmccurdy
        last edited by Dec 13, 2013, 10:34 PM

        Thanks for the reply!

        If I'm understanding the implications of that, won't I be limited to a single internal IP?  I have various services running on different hosts across my internal network, so resolving to .50 will only work for the stuff running on that particular host, won't it?

        To expand on the use case a bit: I'd like my.ddns.net:5900 to resolve and translate internally to 192.168.1.50:5900 and my.ddns.net:443 to resolve and translate to 192.168.1.25:443, etc.

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by Dec 14, 2013, 5:27 PM

          Yes, you are correct. The Host Overrides directs the whole name to a single IP, not quite as flexible as individual port forwards  ;)
          Someone else with real NAT reflection experience feel free to jump in here and help…

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • M
            mmccurdy
            last edited by Jan 3, 2014, 10:02 AM

            Just thought I'd update this as I've found a solution that works for me.  The key seems to be enabling a few DNS forwarder options as follows:

            Then (the piece I was missing before), add some additional forwards with the LAN IP as the destination, since this will be the result of the lookups:

            So, now I can use the same names when I'm local, using the DNS forwarding and local NAT forwards, as I do when I'm outside.

            Problem (apparently, for me anyway) solved!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received