NAT reflection with name instead of IP?

  • Hi all, new to pfSense, pretty psyched to be trying this out.  Most things seem to be working great so far, but I'm having some issues with NAT reflection and the stuff I'm reading is making me nervous that my use case may not actually be supported.  I'd love a quick sanity check that it should be and I'll be happy to keep hacking away at it.

    Here's my situation, which I think should be fairly common, at least for home use:

    • WAN connection is straight DHCP without static IP.  Using no-ip dynamic DNS which has been solid for six months or so, no issues.
    • I have a number of ports mapped through regular NAT port forwards, as here:

    • I have some DHCP IP reservations for various hosts on my network, as here:

    • I would like to be able to use the same DNS name/port to connect to these services when I'm on my local network and from outside.  For example, I'd like a VNC connection to to properly resolve and connect to regardless of where I am.

    I've tried various settings under System:Advanced:Firewall and NAT:Network Address Translation, including all three NAT Reflection modes and all combinations (I think!) of the checkboxes in that section to no avail.

    Does someone know whether this scenario should in fact work with pfSense?  This particular aspect was working ok on my previous off-the-shelf router (an Asus) so in the abstract it seems technically feasible.

  • I thought that the NAT reflection should work in some combination - but I don't use that myself.
    One way to do it without NAT reflection is to add Host Overrides in the DNS Forwarder, e.g. = - then when you are on the local LAN inside pfSense the name resolves directly to the local IP address, when you are outside on the big bad internet it resolves to your public IP.

  • Thanks for the reply!

    If I'm understanding the implications of that, won't I be limited to a single internal IP?  I have various services running on different hosts across my internal network, so resolving to .50 will only work for the stuff running on that particular host, won't it?

    To expand on the use case a bit: I'd like to resolve and translate internally to and to resolve and translate to, etc.

  • Yes, you are correct. The Host Overrides directs the whole name to a single IP, not quite as flexible as individual port forwards  ;)
    Someone else with real NAT reflection experience feel free to jump in here and help…

  • Just thought I'd update this as I've found a solution that works for me.  The key seems to be enabling a few DNS forwarder options as follows:

    Then (the piece I was missing before), add some additional forwards with the LAN IP as the destination, since this will be the result of the lookups:

    So, now I can use the same names when I'm local, using the DNS forwarding and local NAT forwards, as I do when I'm outside.

    Problem (apparently, for me anyway) solved!

Log in to reply