• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] NAT Reflection Troubles

Scheduled Pinned Locked Moved NAT
14 Posts 5 Posters 25.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NOYB
    last edited by Sep 2, 2015, 4:29 AM Aug 29, 2015, 8:57 PM

    Local (LAN) Client
    http://web_server_local_ip_address/ works fine
    http://wan_ip_address/ works fine

    http://web_server_domain_name/ redirects to port 443 (pfSense WebGUI Configurator)
    (works from external (WAN) client)

    local http to pfSense does not redirect to https - as expected

    What am I missing?

    pfSense Settings:

    Port 80 NAT and Firewall Rule that redirects to the web server.

    System - Admin Access:
    HTTPS selected
    TCP Port 443
    Disable webConfigurator redirect rule checked
    Disable DNS Rebinding Checks checked

    System - Firewall / NAT:
    Enable (Pure NAT) NAT Reflection Mode
    Enable 1:1 NAT Reflection
    Enable Auto OutBound NAT Reflection

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Aug 29, 2015, 9:10 PM

      https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
      https://forum.pfsense.org/index.php?action=search

      Not even funny any more. Get proper DNS records and stop using this nonsense.

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by Aug 29, 2015, 9:26 PM

        Already read that, and not interested in doing split DNS right now.

        Shouldn't NAT reflection be functional for this use case?

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Aug 29, 2015, 10:46 PM

          No.

          https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Aug 30, 2015, 12:24 AM

            Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

            Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by Aug 30, 2015, 12:33 AM Aug 30, 2015, 12:27 AM

              That doc indicates it should work.
              @article:

              To fix this, edit the NAT Port Forward for the offending port, and change External Address to Interface Address instead of any.

              NAT Port Forward is already configured to use the Interface Address instead of any.

              The symptom outlined there is not what I'm experiencing.  I can browse to external web sites just fine.
              @article:

              When NAT Reflection is enabled, any connection made to an external web site comes up as the internal web site instead.

              The symptom I'm experiencing is that when browsing to the internal hosted http (port 80) web site via it's FQDN it is redirected to https (port 443), so it hits the pfSense WebGUI configurator instead of being redirected to the internal LAN hosted web site.  Works fine though if the FQDN's IP address (WAN interface IP address) is used instead of the name.

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by Aug 30, 2015, 12:30 AM

                @johnpoz:

                Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?

                Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..

                Don't recall anyone saying that it's not.  But that is not the objective.  NAT Redirection for local hosted web server is the objective.

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Aug 30, 2015, 1:19 AM

                  And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • K
                    KOM
                    last edited by Aug 30, 2015, 2:22 AM

                    If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by Sep 2, 2015, 4:29 AM Aug 30, 2015, 2:58 AM

                      @KOM:

                      If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address.  Do they resolve to the same address?  Have to check the obvious stuff first.  You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.

                      Yes I agree that it should work with the FQDN too.  But for some reason it wasn't getting reflected and instead getting redirected to port 443.

                      Had changed the WebGUI port, but didn't seem to help.

                      Don't know what changed since, but now it is working.
                      Can access the local hosted web site via:

                      http(s)://FQDN
                      http(s)://WAN IP address

                      http(s)://Local Host Name
                      http(s)://LAN IP address

                      And browsing external internet works fine too.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by Sep 2, 2015, 4:28 AM Aug 30, 2015, 11:34 PM

                        For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

                        Firewall:
                        NAT rule that forwards ports 80 and 443 to the local hosted web server.
                        If: WAN, Proto, TCP, Src. addr: *, Src. ports: *, Dest. addr: WAN address, Dest. ports: Web Ports, NAT IP: Web Server, NAT Ports: Web Ports

                        Firewall rule that passes ports 80 and 443 to the local hosted web server.
                        Proto, IPv4 TCP, Source: *, Port: *, Destination: Web Server, Port: Web Ports, Gateway: *, Queue: none

                        System - Admin Access:
                        Protocol: HTTPS
                        TCP Port: 443
                        WebGUI redirect: Disabled (box checked)
                        DNS Rebind Check: Enabled (box NOT checked)

                        System - Firewall / NAT:
                        Network Address Translation
                        NAT Reflection mode for port forwards: Enable (Pure NAT)
                        Reflection Timeout: (not specified)
                        Enable NAT Reflection for 1:1 NAT: Disabled (box NOT checked)
                        Enable automatic outbound NAT for Reflection: Enabled (box checked)
                        TFTP Proxy: (not specified)

                        With this configuration the local hosted web server can be accessed by it's FQDN, WAN IP address, Local Host Name, and LAN IP address.

                        Note: NAT Dest. addr set as "any" "*" will prevent internet browsing.

                        1 Reply Last reply Reply Quote 0
                        • N
                          NOYB
                          last edited by Sep 2, 2015, 4:31 AM Aug 31, 2015, 1:44 AM

                          Think I figured out what was causing the troubles.  Browser internal redirection of http to https.

                          Initially only port 80 was in the NAT rule.  So when the browser was internally redirecting to https there would not be any NAT reflection and the request would be serviced by the WegGUI on port 443.

                          1 Reply Last reply Reply Quote 0
                          • C
                            captdragon
                            last edited by Apr 18, 2016, 12:22 AM

                            @NOYB:

                            For others having troubles getting NAT Reflection working as expected, here is my current working configuration.

                            Glad you were able to get it working.

                            I have all my settings exactly like yours and I can't get it to work. Not sure what I'm missing and it's driving me crazy. It's definitely not the browser.

                            1 Reply Last reply Reply Quote 0
                            • N
                              NOYB
                              last edited by Apr 18, 2016, 1:35 AM

                              pfSense WebGUI issues a one year Strict-Transport-Security header.  So if being directed to https://my_domain.com/ when trying to use http://my_domain.com/ that is a possible cause.

                              Strict Transport Security (HSTS)
                              https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received