Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reflection just won't work.

    Scheduled Pinned Locked Moved NAT
    18 Posts 3 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BVZVC
      last edited by

      Hello,

      I have 5 interfaces on my PF_Sense firewall.

      WAN - T1 with one Virtual IP using CARP (Hosts all of my servers in the DMZ)
      WAN2 - Cable Modem (Used as an internet connection for the LAN and INTERNET_ONLY)
      LAN
      DMZ
      INTERNET_ONLY

      From the LAN and DMZ reflection is not working properly, but on the INTERNET_ONLY interface it works perfectly fine.

      I have a virtual IP set up on the WAN interface. So the interface IP address is 111.111.111.90 and the VIP is 111.111.111.92.

      If I attempt to connect to port 80 on 111.111.111.90 from the LAN, it works.
      If I attempt to connect to port 80 on 111.111.111.92 from the LAN, it fails.

      DNS is working perfectly, it resolves the right IP.
      Everything works perfect from outside of the network.

      Any ideas as to why reflection is not working on the LAN and DMZ?

      I do have reflection enabled, btw.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        What kind of NAT configuration are you using?

        Also please don't post the same thing multiple times. I removed the duplicate post.

        1 Reply Last reply Reply Quote 0
        • B
          BVZVC
          last edited by


          1 Reply Last reply Reply Quote 0
          • B
            BVZVC
            last edited by

            Is there anymore information I should provide? I'm really at a loss here.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              What's that DMZ>LAN outbound NAT rule for???

              1 Reply Last reply Reply Quote 0
              • B
                BVZVC
                last edited by

                That's so that from the LAN I can access the DMZ.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  You don't need to nat from lan to dmz. Remove it.

                  1 Reply Last reply Reply Quote 0
                  • B
                    BVZVC
                    last edited by

                    Done, but that didn't fix the problem. Is there any more info you need?

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by

                      The more I look at your otbound NAT config the more I am puzzled. I think you don't need it at all. Try disabling AON again and retest. There is nothing in there that is not handled by the default natting that is present when AON is disabled. Well, there are even some things missing in your manual outbound nat configuration I think.

                      1 Reply Last reply Reply Quote 0
                      • B
                        BVZVC
                        last edited by

                        I need the outbound NAT because I the LAN to only go out on WAN_CABLE

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by

                          No, wrong. Only firewallrules determine what goes out which wan. Outbound nat only specifies wether the traffic is natted or not.

                          1 Reply Last reply Reply Quote 0
                          • B
                            BVZVC
                            last edited by

                            Switched to Automatic outbound NAT.

                            Exact same scenario.

                            1 Reply Last reply Reply Quote 0
                            • H
                              hoba
                              last edited by

                              Try diagnostics>states, reset states. Then retest nat reflection.

                              1 Reply Last reply Reply Quote 0
                              • B
                                BVZVC
                                last edited by

                                Still a no go. Does this have to do with the MultiWAN?

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hoba
                                  last edited by

                                  I have 3 wans and 6 internal subnets at the office with a CARP setup and even vlanned. Reflection is working just fine. Don' know why it's not working for you. I'm out of ideas  ???

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    BVZVC
                                    last edited by

                                    I've even re-installed pfSense

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cmb
                                      last edited by

                                      If you're using 1:1 NAT, reflection won't work, but that doesn't appear to be the case. It also doesn't work for ranges of more than 500 ports, but you don't have that either.  Do you see anything relevant in the system log?

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        BVZVC
                                        last edited by

                                        nothing gets blocked.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.