Nat reflection behind another nat not working



  • hi, I have pfsense 2.2.4 connected in nat to my isp router, let's say the external ip is 9.9.9.9, the pfsense wan ip is 192.168.1.10 and the lan is 192.168.0.1, if I connect from a lan ip to 192.168.1.10 the nat reflection works but if I connect to 9.9.9.9 it doesn't
    the nat works from outside and it used to works from the lan with the previous firewall(smoothwall) that I used as well


  • Banned

    Either stop double-NATing, or fix your DNS.


  • Netgate

    Your ISP router will be the one needing to perform NAT reflection in that case.

    Use split DNS instead.

    Or call them.



  • @Derelict:

    Your ISP router will be the one needing to perform NAT reflection in that case.

    Use split DNS instead.

    Or call them.

    I don't use dns, also it was working before with smoothwall so I don't think that the isp router needs anything changed


  • Banned

    It won't work. You are talking to your router's IP, pfSense will not rewrite any headers there. If you don't use DNS, then simply stop pointing things to places where they do NOT exist, such as your modem's WAN IP. (Regardless of this, there's nothing good about multi-NAT.)



  • @Brandhor:

    hi, I have pfsense 2.2.4 connected in nat to my isp router, let's say the external ip is 9.9.9.9, the pfsense wan ip is 192.168.1.10 and the lan is 192.168.0.1, if I connect from a lan ip to 192.168.1.10 the nat reflection works but if I connect to 9.9.9.9 it doesn't
    the nat works from outside and it used to works from the lan with the previous firewall(smoothwall) that I used as well

    See no technical reason a double NAT with NAT reflection shouldn't work.

    From your problem description it sounds like all but one of the use cases is working.

    LAN client to LAN target - works
    LAN client to pfSense WAN IP NAT Reflected to LAN target - works
    LAN client to ISP Router WAN IP NAT Reflected - does not work
    Internet client to ISP Router WAN IP NAT to pfSense WAN IP NAT to LAN target - works

    Is that correct?  If so, verify the request is actually getting to the ISP router and being responded to.

    Maybe if you were to post the NAT and firewall rules of both routers someone may be able to help spot a configuration issue.

    Oh, also forgot to ask.  Are  you making the request via a hostname, FQDN, or the actual IP address?



  • @NOYB:

    See no technical reason a double NAT with NAT reflection shouldn't work.

    It should, but OP's pointing the finger at the wrong device. The device with the public IP is where the reflection happens, which is the ISP router in this case.

    @Brandhor:

    also it was working before with smoothwall

    Not if it was also behind the NAT and all else is the same. The reflection happens only on the device that has the public IP.

    Regardless, others noting that double NAT is bad and you should do away with it are right.



  • @NOYB:

    Is that correct?  If so, verify the request is actually getting to the ISP router and being responded to.

    Maybe if you were to post the NAT and firewall rules of both routers someone may be able to help spot a configuration issue.

    Oh, also forgot to ask.  Are  you making the request via a hostname, FQDN, or the actual IP address?

    how can I verify that? also I don't have access to the isp router and I'm using the ip address only, the only thing I know about the isp router is that all the ports are forwarded to the pfsense ip

    Not if it was also behind the NAT and all else is the same. The reflection happens only on the device that has the public IP.

    yeah it was exactly the same, the old smoothwall firewall broke down so I replaced it with pfsense



  • Without access to the ISP router you're at a big disadvantage for troubleshooting to solve this.

    Maybe start with a pfSense WAN packet capture to see if the request is going out and coming back reflected by the ISP router.