Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Reflection (Pure NAT) not working for same subnet (v2.2.2)

    Scheduled Pinned Locked Moved NAT
    43 Posts 14 Posters 19.1k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rossc719R Offline
      rossc719
      last edited by

      Good to know.
      But, at least for me, reloading the filters makes no difference.
      My situation has not changed since I originally posted it back in 2020. (Needless to say, things have been reloaded, rebooted, and reconfigured many times since then).
      I am still using the same manually created outgoing NAT rule to patch the "undesirable behavior that is apparently not a bug". :-)

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        Mike_Uk @rossc719
        last edited by Mike_Uk

        @rossc719

        I did find another solution to this problem, and it is no more harmful (I believe) than the default operation of a firewall if done carefully. It could possibly be fine-tuned somewhat, by placing this rule at the bottom of a rule list. I'm sure others here will advise. I only needed mine to transfer a few email accounts, to new email server software that had been installed. It needed to be run on the same server, and I had to use the reflection used for incoming external email, to get out of the machine. Once done, I disabled the rules.

        I created a rule for the VLAN for our mail server to allow All outbound traffic through the firewall to the web, reflection redirects it back again if it's on the same ports as per the inbound NAT rule.

        Action Pass
        Interface MAILSERVER
        Address IPV4
        Protocol: TCP

        Source: Single host or alias, Mailserver_ip
        Destination …
        **Invert match: Checked
        LAN.net ← Lan for users – this blocks the email server from connecting outbound to the main_lan via reflection
        (You may need to set a rule for each VLAN if you intend to run it permanently, I had to do another for our phone system)

        And that's it.

        I hope it's useful to someone.

        Mike

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          tknospdr @Mike_Uk
          last edited by

          I'm now dealing with the same issue. Still not 2028, but only 3 years shy.

          I posted a new thread about it as it wasn't until late in the posting process that I realized it may have had something to do with NAT reflection specifically.

          The rub here is that I am running DNS split horizons and still have my issue.

          Feel free to answer here or comment on my new thread.
          Thread here

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.