Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Problem with nat 1:1 reflection
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problem with nat 1:1 reflection (Read 1630 times)
sirio81
Newbie
Posts: 44
Karma: 5
Problem with nat 1:1 reflection
«
on:
May 05, 2018, 03:05:32 pm »
Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:
(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)
I set nat reflection advanced options
I set a firewall rule on wan interface
The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,
Any suggestion?
Logged
Animosity022
Full Member
Posts: 245
Karma: 17
Re: Problem with nat 1:1 reflection
«
Reply #1 on:
May 05, 2018, 03:09:25 pm »
I just set an override in Unbound DNS to the internal IP and don't worry about going out and back in.
Logged
sirio81
Newbie
Posts: 44
Karma: 5
Re: Problem with nat 1:1 reflection
«
Reply #2 on:
May 05, 2018, 07:16:40 pm »
Unfortunately this is an option I can't take.
Logged
Animosity022
Full Member
Posts: 245
Karma: 17
Re: Problem with nat 1:1 reflection
«
Reply #3 on:
May 05, 2018, 10:02:48 pm »
What's your rules look like? If you can share the
You can always configure Unbound to forward to a different DNS server if that's easier rather than having it resolve as well.
Logged
sirio81
Newbie
Posts: 44
Karma: 5
Re: Problem with nat 1:1 reflection
«
Reply #4 on:
May 07, 2018, 10:00:53 am »
I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.
Logged
Animosity022
Full Member
Posts: 245
Karma: 17
Re: Problem with nat 1:1 reflection
«
Reply #5 on:
May 07, 2018, 12:45:43 pm »
Can you share the firewall rules and the logs when you are trying to ping or connect to it?
I wasn't offering it as a work around but a simpler setup. I don't reflect because it's added complexity as to why would I want to direct to my firewall and back to an internal host. In my use case, I could reflect, but it's unneeded complexity so I just DNS override to the internal IP for that. For me, it's easier and less complex.
«
Last Edit: May 07, 2018, 12:48:21 pm by Animosity022
»
Logged
sirio81
Newbie
Posts: 44
Karma: 5
Re: Problem with nat 1:1 reflection
«
Reply #6 on:
May 08, 2018, 12:46:26 pm »
Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.
Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:
from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass
traceroute
www.domain.com
traceroute to
www.domain.com
(1.2.3.4), 30 hops max, 60 byte packets
1 webserver-jessie.domain.com (1.2.3.4) 0.425 ms 0.457 ms 0.479 ms
2 webserver-jessie.domain.com (1.2.3.4) 1.689 ms 1.682 ms 1.697 ms
Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Problem with nat 1:1 reflection
