OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Problem with nat 1:1 reflection
« previous next »
  • Print
Pages: [1]

Author Topic: Problem with nat 1:1 reflection  (Read 3803 times)

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Problem with nat 1:1 reflection
« on: May 05, 2018, 03:05:32 pm »
Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)



I set nat reflection advanced options



I set a firewall rule on wan interface



The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?
Logged

guest15389

  • Guest
Re: Problem with nat 1:1 reflection
« Reply #1 on: May 05, 2018, 03:09:25 pm »
I just set an override in Unbound DNS to the internal IP and don't worry about going out and back in.
Logged

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Re: Problem with nat 1:1 reflection
« Reply #2 on: May 05, 2018, 07:16:40 pm »
Unfortunately this is an option I can't take.
Logged

guest15389

  • Guest
Re: Problem with nat 1:1 reflection
« Reply #3 on: May 05, 2018, 10:02:48 pm »
What's your rules look like? If you can share the

You can always configure Unbound to forward to a different DNS server if that's easier rather than having it resolve as well.
Logged

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Re: Problem with nat 1:1 reflection
« Reply #4 on: May 07, 2018, 10:00:53 am »
I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.
Logged

guest15389

  • Guest
Re: Problem with nat 1:1 reflection
« Reply #5 on: May 07, 2018, 12:45:43 pm »
Can you share the firewall rules and the logs when you are trying to ping or connect to it?

I wasn't offering it as a work around but a simpler setup. I don't reflect because it's added complexity as to why would I want to direct to my firewall and back to an internal host. In my use case, I could reflect, but it's unneeded complexity so I just DNS override to the internal IP for that. For me, it's easier and less complex.
Logged

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Re: Problem with nat 1:1 reflection
« Reply #6 on: May 08, 2018, 12:46:26 pm »
Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.

Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:

from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass



traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
 1  webserver-jessie.domain.com (1.2.3.4)  0.425 ms  0.457 ms  0.479 ms
 2  webserver-jessie.domain.com (1.2.3.4)  1.689 ms  1.682 ms  1.697 ms

Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.

Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Problem with nat 1:1 reflection
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2