[SOLVED] NAT Reflection Troubles
-
Local (LAN) Client
http://web_server_local_ip_address/ works fine
http://wan_ip_address/ works finehttp://web_server_domain_name/ redirects to port 443 (pfSense WebGUI Configurator)
(works from external (WAN) client)local http to pfSense does not redirect to https - as expected
What am I missing?
pfSense Settings:
Port 80 NAT and Firewall Rule that redirects to the web server.
System - Admin Access:
HTTPS selected
TCP Port 443
Disable webConfigurator redirect rule checked
Disable DNS Rebinding Checks checkedSystem - Firewall / NAT:
Enable (Pure NAT) NAT Reflection Mode
Enable 1:1 NAT Reflection
Enable Auto OutBound NAT Reflection -
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
https://forum.pfsense.org/index.php?action=searchNot even funny any more. Get proper DNS records and stop using this nonsense.
-
Already read that, and not interested in doing split DNS right now.
Shouldn't NAT reflection be functional for this use case?
-
No.
https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F
-
Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?
Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..
-
That doc indicates it should work.
@article:To fix this, edit the NAT Port Forward for the offending port, and change External Address to Interface Address instead of any.
NAT Port Forward is already configured to use the Interface Address instead of any.
The symptom outlined there is not what I'm experiencing. I can browse to external web sites just fine.
@article:When NAT Reflection is enabled, any connection made to an external web site comes up as the internal web site instead.
The symptom I'm experiencing is that when browsing to the internal hosted http (port 80) web site via it's FQDN it is redirected to https (port 443), so it hits the pfSense WebGUI configurator instead of being redirected to the internal LAN hosted web site. Works fine though if the FQDN's IP address (WAN interface IP address) is used instead of the name.
-
Why is local name resolution not a easier and more elegant solution then sending packets through your firewall twice?
Just what I love for performance is hair pin all my connection through the interface and firewall rules.. Makes for super speedy great use off all resource involved..
Don't recall anyone saying that it's not. But that is not the objective. NAT Redirection for local hosted web server is the objective.
-
And the objective is a pointless utter waste of time with one click over ride and your done.. And to be honest shouldn't even be a possible thing to do.. Nat reflection is a HACK..
-
If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address. Do they resolve to the same address? Have to check the obvious stuff first. You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.
-
@KOM:
If access via WAN IP address works, then via FQDN should also work assuming they resolve to the same IP address. Do they resolve to the same address? Have to check the obvious stuff first. You could try moving WebGUI to a different port just to see if the behaviour changes with subsequent tests.
Yes I agree that it should work with the FQDN too. But for some reason it wasn't getting reflected and instead getting redirected to port 443.
Had changed the WebGUI port, but didn't seem to help.
Don't know what changed since, but now it is working.
Can access the local hosted web site via:http(s)://FQDN
http(s)://WAN IP addresshttp(s)://Local Host Name
http(s)://LAN IP addressAnd browsing external internet works fine too.
-
For others having troubles getting NAT Reflection working as expected, here is my current working configuration.
Firewall:
NAT rule that forwards ports 80 and 443 to the local hosted web server.
If: WAN, Proto, TCP, Src. addr: *, Src. ports: *, Dest. addr: WAN address, Dest. ports: Web Ports, NAT IP: Web Server, NAT Ports: Web PortsFirewall rule that passes ports 80 and 443 to the local hosted web server.
Proto, IPv4 TCP, Source: *, Port: *, Destination: Web Server, Port: Web Ports, Gateway: *, Queue: noneSystem - Admin Access:
Protocol: HTTPS
TCP Port: 443
WebGUI redirect: Disabled (box checked)
DNS Rebind Check: Enabled (box NOT checked)System - Firewall / NAT:
Network Address Translation
NAT Reflection mode for port forwards: Enable (Pure NAT)
Reflection Timeout: (not specified)
Enable NAT Reflection for 1:1 NAT: Disabled (box NOT checked)
Enable automatic outbound NAT for Reflection: Enabled (box checked)
TFTP Proxy: (not specified)With this configuration the local hosted web server can be accessed by it's FQDN, WAN IP address, Local Host Name, and LAN IP address.
Note: NAT Dest. addr set as "any" "*" will prevent internet browsing.
-
Think I figured out what was causing the troubles. Browser internal redirection of http to https.
Initially only port 80 was in the NAT rule. So when the browser was internally redirecting to https there would not be any NAT reflection and the request would be serviced by the WegGUI on port 443.
-
For others having troubles getting NAT Reflection working as expected, here is my current working configuration.
Glad you were able to get it working.
I have all my settings exactly like yours and I can't get it to work. Not sure what I'm missing and it's driving me crazy. It's definitely not the browser.
-
pfSense WebGUI issues a one year Strict-Transport-Security header. So if being directed to https://my_domain.com/ when trying to use http://my_domain.com/ that is a possible cause.
Strict Transport Security (HSTS)
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security