OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: BeanAnimal on April 15, 2020, 07:31:42 pm
-
I have seen this same issue (never resolved) come up for the better part of 2 years over multiple live version.
Can somebody in the know, please answer?
Simple setup
All NAT reflection options enabled
Port Forwarding for internal service set.
External --> Internal = working
Tested on several ports and internal hosts
Internal --> Reflection --> Internal = NOT WORKING
Nothing logged (I assume this is expected)
This IS NOT a DNS issue.
DNS resolves properly to external IP
Traffic via FQDN or IP results in site cannot be reached
I can ping the external IP from internal though...
This worked with the exact same settings in pfsense.
After reading 20 threads just like this ... somthing appears to be broken.
Please don't offer split DNS as a resolution. NAT reflection should be working.
-
I just did a quick test:
- portforwarding TCP 80 to internal Webserver
- enable only "Reflection for port forwards"
- create an A-record in Unbound with my external WAN IP
Works as expected ???
-
I just did a quick test:
- portforwarding TCP 80 to internal Webserver
- enable only "Reflection for port forwards"
- create an A-record in Unbound with my external WAN IP
Works as expected ???
Not sure if you are trying to help, or just be snarky... sure appears to be the later. Either way responses like that are insanely frustrating.
As I mentioned - this is not working for me and I have found numerous threads with reports of the same issue... none of which have appear to have been resolved.
As I mentioned - this EXACT configuration was working in pfsense (days ago). Same config settings, same network, just changed router from pfsense to opnsense.
Not Mentioned - this same network configuration was working with SOPHOS UTM (weeks ago) - with manually defined NAT and DNAT rules (Sophos does not have auto "hairpin" or "reflection"
My setup is rather simple with only a very small number of rules.
3 External IPs
1 LAN
2 VLAN - one of them idle, the other setup for OpenVPN gateway
Port forwarding for Primary IP works and Port forwarding to (2) virtual IPs work.
Outbound nat for LAN --> WAN
Outbound nat for VLAN -->OpenVPN
No floating rules
Outbound Rules
1 Rule per VLAN (ANY outbound) to allow traffic (1 to WAN, 1 to OpenVLAN)
1 Rule (default) for LAN outbound (ANY)
5 Port forwarding rules 3 for primary IP and 1 per secondary IP (all working from external networks).
Not reflection is NOT working at all.
-
Reflection only works internal to internal if the network is also assigned directly. Can you check the docs, I added a note there
-
Thank you for the response!
Unless I am missing something - I am trying to reflect internal to internal:
Internal Primary Lan
192.168.1.0/24
Wan Interface (Static IP)
1.2.3.4
Internal Host A 192.168.1.100
Internal Host B 192.168.1.200
Port Forward Rule
1.2.3.4:5001 --> 192.168.1.200:5001 (working from public internet)
Internal Traffic
192.168.1.100:5001 --> 192.168.1.200:5001 working on internal network
192.168.1.100:5001 --> 1.2.3.4:5001 is not working
What would be my next steps for troubleshooting?
-
Screenshot of Port Forward please
-
I am having the same issue, NAT reflection not working. I ended up making an override entry in Unbound for my internal webserver, but it only works if the client machine uses my internal dns server, which is handed out via DHCP, but anyone who sets it manually, the website resolves as my external IP, and doesn't NAT to the internal IP of the webserver.
Seems to me this should be as simple as enabling "NAT reflection" in the port forward rule. Is this a bug or are we missing something? Using version 20.7.
-
I am having the same issue, NAT reflection not working. I ended up making an override entry in Unbound for my internal webserver, but it only works if the client machine uses my internal dns server, which is handed out via DHCP, but anyone who sets it manually, the website resolves as my external IP, and doesn't NAT to the internal IP of the webserver.
Seems to me this should be as simple as enabling "NAT reflection" in the port forward rule. Is this a bug or are we missing something? Using version 20.7.
Please Open a thread with details and screenshots and dont reply to many other threads ;)
-
Why? This is the same exact issue as @BeanAnimal and others, it's usually good forum etiquette to search for related topics instead of everyone creating a separate thread for the same problem...?
I just resolved it though, I don't know if this is the "proper" way, but go to Firewall -> Settings -> Advanced
and check "Reflection for port forwards", and for good measure "Reflection for 1:1", and "Automatic outbound NAT for Reflection".
Hopefully this helps someone else, and I hope I haven't just created some nasty loops but so far so good.
-
Why? This is the same exact issue as @BeanAnimal and others, it's usually good forum etiquette to search for related topics instead of everyone creating a separate thread for the same problem...?
I just resolved it though, I don't know if this is the "proper" way, but go to Firewall -> Settings -> Advanced
and check "Reflection for port forwards", and for good measure "Reflection for 1:1", and "Automatic outbound NAT for Reflection".
Hopefully this helps someone else, and I hope I haven't just created some nasty loops but so far so good.
This is how to do it, yes, isnt it documented this way?
-
Its just kind of confusing since there's an option for it (NAT Reflection_ --that doesn't work, when you set up a port forward.
-
I also have a NAT reflection issue and I do have those Firewall advanced settings. But my issue is very confusing to me and if someone could point me in the right direction I would appreciate it.
I have two web servers using different WAN IP's both on the same internal subnet. Both servers serve websites fine externally but only one of them allows local access. I have set the Outbound NAT for each since they use different NAT addresses. All the rules are matched for both as far as settings, ports, etc. There are no Outbound DNS overrides. I also tried Unbound DNS overrides with no success. Also tried local hosts file. It has to be something in the firewall.
I can ping the webserver locally and get the correct results with nslookup. IIS is also setup identically on both servers. I do not have Windows firewalls enabled.
I can get to both servers webpages from each other. I want to get to both from another local subnet. That is where only one works.
What have I missed?