NAT Reflection (Pure NAT) not working for same subnet (v2.2.2)

rossc719 · May 20, 2020, 11:22 PM

If anyone is interested in debugging this at a later date, please let me know.
I am very interested in working with anyone who has any constructive ideas for how to move forward.

For now, the hack I described above, (The manually created outgoing NAT rule) seems to patch over the bug, so I will go ahead and use that.

Cheers

johnpoz · May 21, 2020, 8:06 PM

@rossc719 said in NAT Reflection (Pure NAT) not working for same subnet (v2.2.2):

seems to patch over the bug

There is no BUG.. The problem your seeing is something unique to your setup.. More than happy to help you work through it.. But as I have shown, I can not reproduce your issue. The problem is something unique to your setup.

rossc719 · May 21, 2020, 8:06 PM

More than happy to help you work through it..

Excellent. How would you like to proceed?

rossc719 · Jun 11, 2020, 3:51 AM

FWIW, I'm still interested in trying to work through it with anyone who is up for it.

I guess I'll stop updating this thread, but if someone is reading this in 2028, and is interested in helping, please assume I am still interested.

andy_redpoint · Oct 1, 2021, 2:29 AM

Old thread, but in context on an edge case bug I think an update is relevant - I have just been having this exact same issue, and @rossc719 's input on this thread plus the document he contributed (https://docs.google.com/document/d/1DCtqI2q3RlaK6HkTgp_xFw6poxWg6wiJlzw0V7lDtGU/edit?usp=sharing) was exactly what I needed to fix it.

I have version 2.4.5-RELEASE-p1, the 'Enable automatic outbound NAT for Reflection' tick box is definitely set and, for whatever reason, does nothing. TCP dump showed all the traffic traversing the NAT correctly, but retaining its original source address. I added in a manual outbound NAT and the problem is fixed straight away.

DTM_NV · Oct 1, 2021, 2:29 AM

@andy_redpoint Exactly my experience. I was testing OPNsense 21 with this configuration and had no issues. Rebuilt with pfSense 2.5.2 last month and spent a good hour or two trying to work out why the same settings weren't working.

I would add that the other "hacky" thing I'm doing is bridging the interfaces of a dual port NIC and assigning the bridge to the LAN interface. But I have turned off filtering for the bridge members.

Thanks for all the posts on this thread and the consideration for future Googlers @rossc719 with your outbound NAT solution which has resolved my issue. Reflective NAT isn't ideal, but it least it works until I can do something like build a reverse proxy in front of my web servers.

rtw915 · Oct 23, 2023, 9:48 PM

Hello @rossc719 we have not passed 2028 yet and I ran into the same issue. For me I did not have Enable automatic outbound NAT for Reflection selected, but I did have Pure NAT selected for NAT Reflection mode for port forwards. However, after enabling Enable automatic outbound NAT for Reflection nothing changed, it still was not working. It was not until I forced a filter reload after enabling that option that it started to work.

rossc719 · Nov 6, 2023, 5:00 PM

Good to know.
But, at least for me, reloading the filters makes no difference.
My situation has not changed since I originally posted it back in 2020. (Needless to say, things have been reloaded, rebooted, and reconfigured many times since then).
I am still using the same manually created outgoing NAT rule to patch the "undesirable behavior that is apparently not a bug". :-)

Mike_Uk · Nov 6, 2023, 5:06 PM

@rossc719

I did find another solution to this problem, and it is no more harmful (I believe) than the default operation of a firewall if done carefully. It could possibly be fine-tuned somewhat, by placing this rule at the bottom of a rule list. I'm sure others here will advise. I only needed mine to transfer a few email accounts, to new email server software that had been installed. It needed to be run on the same server, and I had to use the reflection used for incoming external email, to get out of the machine. Once done, I disabled the rules.

I created a rule for the VLAN for our mail server to allow All outbound traffic through the firewall to the web, reflection redirects it back again if it's on the same ports as per the inbound NAT rule.

Action Pass
Interface MAILSERVER
Address IPV4
Protocol: TCP

Source: Single host or alias, Mailserver_ip
Destination …
**Invert match: Checked
LAN.net ← Lan for users – this blocks the email server from connecting outbound to the main_lan via reflection
(You may need to set a rule for each VLAN if you intend to run it permanently, I had to do another for our phone system)

And that's it.

I hope it's useful to someone.

Mike

tknospdr · Feb 23, 2025, 5:42 PM

I'm now dealing with the same issue. Still not 2028, but only 3 years shy.

I posted a new thread about it as it wasn't until late in the posting process that I realized it may have had something to do with NAT reflection specifically.

The rub here is that I am running DNS split horizons and still have my issue.

Feel free to answer here or comment on my new thread.
Thread here