Slow connection while using NAT reflection



  • I have the following scenario:

    • Database in local network

    • Users access the database from externally (through NAT Port Forward) and locally (using database server local IP)

    To facilitate this setting, I enabled NAT reflection so everyone could be able to access the database using only the external IP.  So far so good, since everything works as expected.

    However, I noticed the access to the database from local computers is slow when they use the external IP, but it is fast when they use the local IP (since it does not even reach pfSense).  I investigated this issue and I discovered that "NAT + Proxy" reflection mode causes a significant delay in the connection, while "Pure NAT" mode does not present the same issue.

    Could someone tell me why this happens?
    Is there some particularity of "NAT + Proxy" mode?

    Someone can say to me to just keep "Pure NAT" setting and forget it, but I can not guarantee that the external IP address is defined when firewall rules are generated.  So I think "Pure NAT" is not the best option for me, although it is currently operational.  I understand that, in an eventual shortage, the rules can be created before the server get an IP (obtained via PPPoE), and this can cause me problems.



  • NAT Reflection is not the best option usually.  I find it so much easier to run split DNS and have its FQDN resolve to its LAN IP instead of hairpinning in and out of the router.

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing



  • @KOM:

    NAT Reflection is not the best option usually.  I find it so much easier to run split DNS and have its FQDN resolve to its LAN IP instead of hairpinning in and out of the router.

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing

    @KOM. Thanks for your reply.

    I must agree that a DNS split approach is much more suitable and I'll consider it. The problem is that currently I do not have access to this company external nameserver, but I will take control of it shortly.

    Anyway, is this performance issue in NAT reflection already known? If so, I really think it should be addressed.


  • LAYER 8 Global Moderator

    What does access to the external name server have to do with anything?  That has nothing to do with resolving local stuff to its local IP by using a LOCAL dns..



  • @johnpoz:

    What does access to the external name server have to do with anything?  That has nothing to do with resolving local stuff to its local IP by using a LOCAL dns..

    Sorry if I was not clear. If I inform my employees that they can access the database using xpto.example.com, this should work inside or outside the office. But I can not set this configuration without access to example.com nameservers, right? ;)

    Currently the nameservers of this company are maintained by a third-party company that manages the mail service and do not allow me to freely insert records into it (odd, I know). Since using a free DNS service is not a good option for me, I will need to take control of the DNS service first. But I am already addressing this issue.


  • LAYER 8 Global Moderator

    so does xpto.example.com resolve on the public internet to its public IP?  If so then just create a local override in your pfsense dns or whatever dns you use locally so that xpto.example.com resolves to private IP.  This does not require any access to public IP.

    I could point www.google.com to a local IP if I wanted too, I sure don't or never will have access to google.com nameservers ;)



  • @johnpoz:

    so does xpto.example.com resolve on the public internet to its public IP?  If so then just create a local override in your pfsense dns or whatever dns you use locally so that xpto.example.com resolves to private IP.  This does not require any access to public IP.

    I could point www.google.com to a local IP if I wanted too, I sure don't or never will have access to google.com nameservers ;)

    @johnpoz. I appreciate your concern, but this topic is something I already have a good understanding and I must say you are overlooking my explanation. In my example, example.com nameservers only have MX records (no A or AAAA records at all), so xpto.example.com does not exist in the public DNS registers. Although you are able to create xpto.google.com into your local network, you surely can't create xpto.google.com in the public domain without access to google.com nameservers.

    I hope you understand this time. Anyway, this is really not my concern.
    I am already wondering if the performance issue of "NAT + Proxy" is a known issue.


  • LAYER 8 Global Moderator

    Yes NAT reflection is a HACK and should be avoided at all costs to be honest.. Why its even supported in pfsense is a ? if you ask me.

    Yes its going to be slower than just going to the local address.  For one your hairpinning and going through firewall router when most likely the IP your actually wanting to get to is on the same segment as you.  And if even on another segment there is no reason to push the traffic through the firewall and nat, just to get pushed back.

    So your saying xpto.example is a MX record.. So create MX record in your local dns that points to the private IP where this mail server sits.  BTW normally your MX would point to a A record at some point, even if in a different domain.  You normally don't use IP for MX records..  But lets say your MX does..

    That is first example, 2nd example is pointing to actual A record in the xpto.example.com domain.  But it could be anything really, and you just resolve that anything to what that anything local IP is..

    BTW the query times are high because I am connected to my home network via a vpn that has to bounce off a proxy in hou, just to come back to chicago area, etc.  Just in case you notice the 118ms response time ;)






  • @johnpoz:

    Yes NAT reflection is a HACK and should be avoided at all costs to be honest.. Why its even supported in pfsense is a ? if you ask me.

    Yes its going to be slower than just going to the local address.  For one your hairpinning and going through firewall router when most likely the IP your actually wanting to get to is on the same segment as you.  And if even on another segment there is no reason to push the traffic through the firewall and nat, just to get pushed back.

    So your saying xpto.example is a MX record.. So create MX record in your local dns that points to the private IP where this mail server sits.  BTW normally your MX would point to a A record at some point, even if in a different domain.  You normally don't use IP for MX records..  But lets say your MX does..

    That is first example, 2nd example is pointing to actual A record in the xpto.example.com domain.  But it could be anything really, and you just resolve that anything to what that anything local IP is..

    BTW the query times are high because I am connected to my home network via a vpn that has to bounce off a proxy in hou, just to come back to chicago area, etc.  Just in case you notice the 118ms response time ;)

    @johnpoz. HEYY!! Are you listening to me? Again, I really appreciate your concern, but don't try to solve a problem I don't have. Please.
    You are trying to guess my configuration and suggesting dumb configurations hacks. C'mon. You really don't need to.

    Returning to the "NAT + Proxy" issue. I understand that it should exist a performance issue related to it because the connection is passing thru pfSense when it do not really have to. But I can not understand why it does not affect the "Pure NAT" option.



  • NAT + Proxy uses a helper app whereas Pure NAT uses rules alone.  Excerpted from the pfSense book available to Gold members:

    Enable (NAT + Proxy) The NAT + proxy mode uses a helper program to send packets to the target of the
    port forward. It is useful in setups where the interface and/or gateway IP used for communication
    with the target cannot be accurately determined at the time the rules are loaded. Reflection rules
    are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total
    between all port forwards. This mode does not work reliably with UDP, only with TCP. Because this
    is a proxy, the source address of the traffic, as seen by the server, is the firewall’s IP address closest
    to the server.

    Enable (Pure NAT) The pure NAT mode uses a set of NAT rules to direct packets to the target of the
    port forward. It has better scalability, but it must be possible to accurately determine the interface
    and gateway IP used for communication with the target at the time the rules are loaded. There are no
    inherent limits to the number of ports other than the limits of the protocols. All protocols available
    for port forwards are supported. If you choose this option, and your servers are on the same subnet
    as your clients, you will also need to check Enable automatic outbound NAT for Reflection a few
    options down the page from here.

    There is also an option for Reflection Timeout that is only used in Enable (NAT + Proxy) mode. This option controls
    how long the NAT proxy daemon will wait before closing a connection.


  • Banned

    Here's an idea repeated about 378,264 times: stop using the goddamn NAT reflection clusterfuck. Noone cares how slow it is. It certainly still is faster than you wasting days and weeks or months with such nonsense instead of setting up things properly. If it's slow for your, then get faster and fix your configuration to point things to where they exist and listen.



  • @doktornotor:

    Here's an idea repeated about 378,264 times: stop using the goddamn NAT reflection clusterfuck. Noone cares how slow it is. It certainly still is faster than you wasting days and weeks or months with such nonsense instead of setting up things properly. If it's slow for your, then get faster and fix your configuration to point things to where they exist and listen.

    @doktornotor. I understand your position. But I am also a developer. I am not satisfied with things that "just work" or "just don't work". I am here trying to understand why it is slow and if people that uses it for a long time or the developers are aware of it. But I still don't have an answer.

    People are trying to solve my problem, or show information that is clearly described in the documentation. Telling me how idiot and stupid I am because I am trying to understand the minor workings of a resource that nobody likes or recommend to use. I appreciate all replies, but this is not what I am looking for. IMO, it is up to the each sysadmin to decide what is the best configuration to their network. If someone wants to use NAT reflection for whatever reason, I think we should ship a good solution that works the best it can.

    My current experience is showing that "NAT + Proxy" option is suffering from a very unusual overhead in comparison to "Pure NAT" option. I understand the differences between these options, and I know that a performance difference should be expected between them since one work in a lower layer than the other. But I still think the overhead I am experiencing is very significant to be caused only due to the service characteristics. I was able to reproduce this slowness in a idle server running simple queries to a database. My guess is that there is something wrong with the Proxy service of NAT reflection.

    For example, if you tell me that "the Proxy service of NAT reflection is badly coded, nobody maintains it for years, and everybody hate both the programmer and the proxy", maybe I try to put my hands on it and code a faster one.

    Or if you tell "the Proxy service of NAT reflection suffers from a high overhead because it works in a high network/application layer, we already optimized it to the best we were able to, but there is really nothing much to do, there's no free lunch, really", maybe I stay quiet and satisfied with the answer.


Log in to reply