OPNsense Forum

English Forums => General Discussion => Topic started by: nashmeira on April 02, 2019, 11:31:15 pm

Title: NAT Reflection for Web Servers
Post by: nashmeira on April 02, 2019, 11:31:15 pm

I have a few webserver on a DMZ that I have setup with OPNsense. Everything works find from outside the LAN-1 however internally we are not able to access these servers. I am using Port Forwarding not 1-to-1.

Looking around online it seems a simple enough task to turn on NAT reflection: FIREWALL > SETTINGS > ADVANCED > Network Address Translation enabling the following settings.

ENABLED - Reflection for port forwards
ENABLED - Reflection for 1:1  (Even though I’m not using 1:1)
ENABLED - Automatic outbound NAT for Reflection

Each of the sites have a Static IP with ports 80, 443 forwarded to the internal servers IP on the DMZ-1.

NAT Forward Rules look like this:
^Source
IF: WAN1
PROTO: TCP
ADDRESS: *
PORTS: *

^Destination
ADDRESS: PUBLIC-WAN IP: 99.88.77.66
PORTS: 80,443 (Created as an Aliases)

^NAT
IP: INTERNAL SERVER IP: 192.168.10.10 (Created as an Aliases)
PORTS: 80,443 (Created as an Aliases)

All other settings are default. NAT reflection uses System Default, Filter rule association uses Rule NAT: Site-1 (The info from the rules description).

Even though I have NAT reflection enabled nothing seems to help if I’m on the internal LAN-1 network. I tried enabling NAT reflection in the individual rule but still nothing. So, I’m kinda stumped. I can see everything from outside but nothing from inside.

One thing I have had happen is if I try to go to one of the sites using the url (From LAN-1) the port 8443 is added to the end, which then loads to be the logon page for OPNsense. So, I am wondering if there is a firewall rule I need to edit?

My setup also uses two different internet sources. So, there is a multi-gateway setup for fail over. But this does not seem to affect the external to internal DMZ-1 traffic, nor can I reach the OPNsense interface from outside when testing.

I’m really liking OPNsense and I know its just lack knowledge that is the issue. I have tried referencing some pfsense articles but even still I’ve had no luck figuring this one out.

Title: Re: NAT Reflection for Web Servers
Post by: sycada on August 08, 2019, 02:09:48 pm

I also encountered this problem. I've turned on ‘Reflection for port forwards’, but I still can't access the mapped address from the internal network.

Title: Re: NAT Reflection for Web Servers
Post by: weswitt on August 11, 2019, 06:18:28 pm

+1 I'm encountering the same problem. I cannot get NAT reflection for HTTP/S working.

Title: Re: NAT Reflection for Web Servers
Post by: jabbas on December 15, 2019, 10:52:52 pm

You have to enable "Automatic outbound NAT for Reflection" to make te NAT Reflection working.

Title: Re: NAT Reflection for Web Servers
Post by: pyrodex on December 16, 2019, 10:53:34 pm

Quote from: jabbas on December 15, 2019, 10:52:52 pm

You have to enable "Automatic outbound NAT for Reflection" to make te NAT Reflection working.

This doesn't work...

I have the same problem. Port forward NAT on the WAN IP and DMZ can't access it even though DMZ has access to the internet/wan. The connection comes back into the IP on the port forward NAT it redirects to as the DMZ internal host IP.