[SOLVED] NAT Reflection Troubles



  • Local (LAN) Client
    http://web_server_local_ip_address/ works fine
    http://wan_ip_address/ works fine

    http://web_server_domain_name/ redirects to port 443 (pfSense WebGUI Configurator)
    (works from external (WAN) client)

    local http to pfSense does not redirect to https - as expected

    What am I missing?

    pfSense Settings:

    Port 80 NAT and Firewall Rule that redirects to the web server.

    System - Admin Access:
    HTTPS selected
    TCP Port 443
    Disable webConfigurator redirect rule checked
    Disable DNS Rebinding Checks checked

    System - Firewall / NAT:
    Enable (Pure NAT) NAT Reflection Mode
    Enable 1:1 NAT Reflection
    Enable Auto OutBound NAT Reflection


  • Banned



  • Already read that, and not interested in doing split DNS right now.

    Shouldn't NAT reflection be functional for this use case?


  • Banned


  • LAYER 8 Global Moderator

    Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

    Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..



  • That doc indicates it should work.
    @article:

    To fix this, edit the NAT Port Forward for the offending port, and change External Address to Interface Address instead of any.

    NAT Port Forward is already configured to use the Interface Address instead of any.

    The symptom outlined there is not what I'm experiencing.  I can browse to external web sites just fine.
    @article:

    When NAT Reflection is enabled, any connection made to an external web site comes up as the internal web site instead.

    The symptom I'm experiencing is that when browsing to the internal hosted http (port 80) web site via it's FQDN it is redirected to https (port 443), so it hits the pfSense WebGUI configurator instead of being redirected to the internal LAN hosted web site.  Works fine though if the FQDN's IP address (WAN interface IP address) is used instead of the name.



  • @johnpoz:

    Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

    Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

    Don't recall anyone saying that it's not.  But that is not the objective.  NAT Redirection for local hosted web server is the objective.


  • LAYER 8 Global Moderator

    And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..



  • If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.



  • @KOM:

    If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

    Yes I agree that it should work with the FQDN too.  But for some reason it wasn't getting reflected and instead getting redirected to port 443.

    Had changed the WebGUI port, but didn't seem to help.

    Don't know what changed since, but now it is working.
    Can access the local hosted web site via:

    http(s)://FQDN
    http(s)://WAN IP address

    http(s)://Local Host Name
    http(s)://LAN IP address

    And browsing external internet works fine too.



  • For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

    Firewall:
    NAT rule that forwards ports 80 and 443 to the local hosted web server.
    If: WAN, Proto, TCP, Src. addr: *, Src. ports: *, Dest. addr: WAN address, Dest. ports: Web Ports, NAT IP: Web Server, NAT Ports: Web Ports

    Firewall rule that passes ports 80 and 443 to the local hosted web server.
    Proto, IPv4 TCP, Source: *, Port: *, Destination: Web Server, Port: Web Ports, Gateway: *, Queue: none

    System - Admin Access:
    Protocol: HTTPS
    TCP Port: 443
    WebGUI redirect: Disabled (box checked)
    DNS Rebind Check: Enabled (box NOT checked)

    System - Firewall / NAT:
    Network Address Translation
    NAT Reflection mode for port forwards: Enable (Pure NAT)
    Reflection Timeout: (not specified)
    Enable NAT Reflection for 1:1 NAT: Disabled (box NOT checked)
    Enable automatic outbound NAT for Reflection: Enabled (box checked)
    TFTP Proxy: (not specified)

    With this configuration the local hosted web server can be accessed by it's FQDN, WAN IP address, Local Host Name, and LAN IP address.

    Note: NAT Dest. addr set as "any" "*" will prevent internet browsing.



  • Think I figured out what was causing the troubles.  Browser internal redirection of http to https.

    Initially only port 80 was in the NAT rule.  So when the browser was internally redirecting to https there would not be any NAT reflection and the request would be serviced by the WegGUI on port 443.



  • @NOYB:

    For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

    Glad you were able to get it working.

    I have all my settings exactly like yours and I can't get it to work. Not sure what I'm missing and it's driving me crazy. It's definitely not the browser.



  • pfSense WebGUI issues a one year Strict-Transport-Security header.  So if being directed to https://my_domain.com/ when trying to use http://my_domain.com/ that is a possible cause.

    Strict Transport Security (HSTS)
    https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security


Log in to reply