Hi,
I have a 1:1 NAT setup for a server located on inside network, I also have a somewhat exotic requirement in that this very machine runs several processes that need to connect to it's public IP address. (This is a P2P network node that runs several processes).
I have enabled NAT reflection and it seems to make entries in pfctl -sn table:
rdr on cxl1_vlan80 inet from any to $PUB_IP -> $LOCAL_IP bitmask
Still, I am not able to open a simple SSH connection to my own public IP.
What could be wrong?
Thanks
			
			
			
				If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.
I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.
			
			
			
				Quote from: sesquipedality on June 30, 2020, 10:08:17 AM
If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.
Unfortunately I cannot rely on DNS, the connection is done via IP bypassing normal DNS resolution.
Quote from: sesquipedality on June 30, 2020, 10:08:17 AM
I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.
That is what I am afraid of..  This is very essential for me.
			
 
			
			
				Just as an info for anyone who might run into similar issue:
It is technically impossible to reflect / redirect to a host on same interface that host is connected to, see man pf.conf:
QuoteRedirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.
Too bad. In my specific case I have no other option but to connect my host directly to internet, bypassing the firewalls.
			
				Hi, 
did you try these options?