Hello,
WE have a port forward rule that allows connection into a web and mail server. It works perfectly from outside.
WE turned on reflection for this rule so anyone inside the LAN going to the web server or mail server on this host would be able to use the FQDN to get to it as if they were outside.
However this does not work and trying to connect to the web or mailserver from inside just times out with a site can't be reached message.
The rules look fine, it does work form outside but no internal reflection.
Any help appreciated as this is the first use case we have tried and we have many more to configure so really need to get this to work.
Cheers
Spart
If you are using unbound then use the Unbound DNS: Overrides. Some users appear to have issues with NAT reflection, some don't. I don't use it because I use the overrides and always have done.
Remember to flush the dns on your test pc after setting the override!
Another advantage of IPv6, the address is the same whether inside or outside the LAN!
So basically it doesn't work! I am using dnsmasQ
I have to put internal host entries into the DNS server to point at my internal servers using FQDN's?
Cheers
Spart
It does work, but some users have issues. As I don't use it I cannot advise. However I do know that host override does work.
Host is the name, i.e. www, domain is obvious, i.e. google.co.uk, address - whatever... i.e. 192.168.33.23. Desription - Web Server. Save and apply..
Yes we are very familiar with using hardcoded names in the host file. Not having to do that manually for all port forwards would have been a significant time and complexity feature.
It also seems we now have to flush the caches of any user machine that has recently tried to connect to the url of that server as they will have gotten the Public IP of the service and not the internal IP from the hardcoded host overrides.
So the aim of alias goes out of the window as we now have to hard code the servers anyway! I did a scan and the forums on here are full of people who cannot get it to work. With no solutions or root cause identified.
Thank you anyway this is what we were trying to avoid!
Cheers
Spart
I am using NAT reflection and it is working fine.
Could it be that you haven't added the rules to ALLOW the packet flow that the NAT reflection is creating? -> If I remember correctly, NAT reflection does only set the reflection part, but does not open the ports for you in the firewall.
@KoS
Thanks for the reply.
A bit confused though as the ports are defined for the Port forwards and FW rule. Example:
forward PUBLIC IP ports 465,587,993 to INTERNAL IP on ports 465,587,993 this works perfectly for out to in comms. When reflection set this creates a rule in the FW to allow traffic to the internal server.
FW Rule
IPv4 TCP * * zimbra zimbra_ports * * Allow connections to zimbra server
PF Rule that created the above is:
WAN TCP * * PUBLICIP zimbra_ports zimbra zimbra_ports Allow connections to zimbra server
What are we missing? Is there an example you can show. This will avoid having to manually hardcode all mappings in the dnsmaq overrides.
Cheers
Spart
The NAT reflection only creates the reflection rules, but does not open the ports from your internal interface(s) to the selected target.
You will need to add the rules on your internal interfaces too to allow the traffic on port 465,587,993. At least that is how i have it. So on Firewall -> Rules -> your INTERNAL interfaces -> add a rule like:
IPv4+6 TCP * * This Firewall 465 * *
greets
KoS
Quote from: KoS on June 14, 2020, 06:44:03 PM
The NAT reflection only creates the reflection rules, but does not open the ports from your internal interface(s) to the selected target.
You will need to add the rules on your internal interfaces too to allow the traffic on port 465,587,993. At least that is how i have it. So on Firewall -> Rules -> your INTERNAL interfaces -> add a rule like:
IPv4+6 TCP * * This Firewall 465 * *
greets
KoS
The ports must be open or there would be no access from outside. 'this firewall' is that the LAN or WAN address.
The default LAN IN rule lets me get OUT to anywhere from inside.
Are you saying I need a LAN OUT rule to point at these ports?
I have an error message that is repeating and makes no sense to me but seems somehow related to this issue.
As written, you need to add the rule on your internal interface(s), e.g. LAN, to allow the incoming packets that you currently allow via port forwarding from the outside. at least that is what worked for me.
The error message in your screenshot doesn't tell me anything, sorry :-(