Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat reflection behind another nat not working

    Scheduled Pinned Locked Moved NAT
    9 Posts 5 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Brandhor
      last edited by

      hi, I have pfsense 2.2.4 connected in nat to my isp router, let's say the external ip is 9.9.9.9, the pfsense wan ip is 192.168.1.10 and the lan is 192.168.0.1, if I connect from a lan ip to 192.168.1.10 the nat reflection works but if I connect to 9.9.9.9 it doesn't
      the nat works from outside and it used to works from the lan with the previous firewall(smoothwall) that I used as well

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Either stop double-NATing, or fix your DNS.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Your ISP router will be the one needing to perform NAT reflection in that case.

          Use split DNS instead.

          Or call them.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            Brandhor
            last edited by

            @Derelict:

            Your ISP router will be the one needing to perform NAT reflection in that case.

            Use split DNS instead.

            Or call them.

            I don't use dns, also it was working before with smoothwall so I don't think that the isp router needs anything changed

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              It won't work. You are talking to your router's IP, pfSense will not rewrite any headers there. If you don't use DNS, then simply stop pointing things to places where they do NOT exist, such as your modem's WAN IP. (Regardless of this, there's nothing good about multi-NAT.)

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                @Brandhor:

                hi, I have pfsense 2.2.4 connected in nat to my isp router, let's say the external ip is 9.9.9.9, the pfsense wan ip is 192.168.1.10 and the lan is 192.168.0.1, if I connect from a lan ip to 192.168.1.10 the nat reflection works but if I connect to 9.9.9.9 it doesn't
                the nat works from outside and it used to works from the lan with the previous firewall(smoothwall) that I used as well

                See no technical reason a double NAT with NAT reflection shouldn't work.

                From your problem description it sounds like all but one of the use cases is working.

                LAN client to LAN target - works
                LAN client to pfSense WAN IP NAT Reflected to LAN target - works
                LAN client to ISP Router WAN IP NAT Reflected - does not work
                Internet client to ISP Router WAN IP NAT to pfSense WAN IP NAT to LAN target - works

                Is that correct?  If so, verify the request is actually getting to the ISP router and being responded to.

                Maybe if you were to post the NAT and firewall rules of both routers someone may be able to help spot a configuration issue.

                Oh, also forgot to ask.  Are  you making the request via a hostname, FQDN, or the actual IP address?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  @NOYB:

                  See no technical reason a double NAT with NAT reflection shouldn't work.

                  It should, but OP's pointing the finger at the wrong device. The device with the public IP is where the reflection happens, which is the ISP router in this case.

                  @Brandhor:

                  also it was working before with smoothwall

                  Not if it was also behind the NAT and all else is the same. The reflection happens only on the device that has the public IP.

                  Regardless, others noting that double NAT is bad and you should do away with it are right.

                  1 Reply Last reply Reply Quote 0
                  • B
                    Brandhor
                    last edited by

                    @NOYB:

                    Is that correct?  If so, verify the request is actually getting to the ISP router and being responded to.

                    Maybe if you were to post the NAT and firewall rules of both routers someone may be able to help spot a configuration issue.

                    Oh, also forgot to ask.  Are  you making the request via a hostname, FQDN, or the actual IP address?

                    how can I verify that? also I don't have access to the isp router and I'm using the ip address only, the only thing I know about the isp router is that all the ports are forwarded to the pfsense ip

                    Not if it was also behind the NAT and all else is the same. The reflection happens only on the device that has the public IP.

                    yeah it was exactly the same, the old smoothwall firewall broke down so I replaced it with pfsense

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      Without access to the ISP router you're at a big disadvantage for troubleshooting to solve this.

                      Maybe start with a pfSense WAN packet capture to see if the request is going out and coming back reflected by the ISP router.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.