1:1 NAT and NAT Reflection Advice

  • Hello

    I'm looking for a little advice on NAT Reflection with a 1:1 NAT.  I've looked through the forums and tried a bunch of things, but nothing seems to really work as I expect it to.  I'm reaching out as a last effort before I have to implement split horizon DNS (which I realize is likely the better solution . . .)

    On a pfSense 2.1.4-RELEASE installation I have one 1:1 NAT assigned to my on-premise email server.  It works.  I have manual outbound NAT set up for all outbound traffic, which I had to do to accommodate a VoIP server behind the firewall.  It works as well.  I'm not able to reach my email server's external address (used by Android phones ActiveSync service) from the LAN, due to NAT reflection I'm assuming.

    I've tried enabling the NAT reflection options for 1:1 and for automatic outbound NAT in the System>Advanced>NAT to no avail.  I've also tried writing a manual outbound rule, but that doesn't work either.  I believe I may be doing something wrong when setting up the outbound rule as it seems to break the overall email service.

    Anyone have any ideas on what I'm missing?  Or do I need to bite the bullet and set up split horizon DNS.


  • I went with split DNS.  External DNS servers (Linux/BIND) point to public address for our servers, while our internal Windows domain DNS handles the same domain and points to the LAN addresses.  They're servers and their IP addresses are static so you don't need to futz with them once you have them created.  NAT redirection was always a PITA.  Split DNS solves everything nicely.

  • Yes, I agree, and that's probably the way I'll have to go as well.  I only have 1 external server that is used, so I was hoping to avoid split DNS for just 1 address, but I should probably just stop whining and do it  :)

  • I went through something very similar recently. It was regular NAT, not 1:1 NAT, but the same principle.

    My internal users couldn't access our email server or web server using the public server names.  I too ended up using Split DNS just as KOM describes it.

    While I would like to know why NAT Reflection didn't work for me, I am very happy I went with the Split DNS setup. In fact, it took less time to convert to Split DNS using BIND than I spent on messing around with NAT Reflection.

Log in to reply