OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: pyrodex on December 15, 2019, 02:12:21 am

Title: 19.7.7 - NAT Reflection??
Post by: pyrodex on December 15, 2019, 02:12:21 am

So I have multiple subnets (e.g. LAN, IoT, DMZ, and GUEST) with a few jump/remote hosts in the DMZ. I have a port forwarding NAT rule in place with the following settings:

SRC *
SRC PORT *
DEST WAN ADDRESS
DEST PORT 1000
NAT IP <FW LAN IP>
NAT PORT HTTPS

My Firewall settings are settings for NAT are as follows:

Reflection for port forwards    - ON
Reflection for 1:1 - ON   
Automatic outbound NAT for Reflection - ON

With these current settings the LAN can access the NAT fine using the WAN IP and the port specified but the DMZ cannot, it gets denied with from the DMZ host attempting going to the NAT IP/NAT PORT in the logs.

In the past when I had pfSense this type of setup worked so I can't explain why this isn't working.

No matter what settings I make for NAT reflection it never works from the DMZ segment but it can break the LAN side.

Thoughts?

The goal would be the DMZ can access services on the WAN address like any external client but basically hairpin back into the firewall.

Title: Re: 19.7.7 - NAT Reflection??
Post by: pyrodex on December 18, 2019, 02:25:36 pm

Bump, any help?


Sent from my iPhone using Tapatalk

Title: Re: 19.7.7 - NAT Reflection??
Post by: muchacha_grande on December 18, 2019, 07:03:38 pm

Does it work accessing it from the LAN side using the WAN IP ?

Title: Re: 19.7.7 - NAT Reflection??
Post by: pyrodex on December 18, 2019, 07:08:06 pm

Quote from: muchacha_grande on December 18, 2019, 07:03:38 pm

Does it work accessing it from the LAN side using the WAN IP ?

Yes!

But when using the LAN client hitting the WAN Port Forward it maps it to the internal IP of the LAN client and the WAN Port Forward forwards to a LAN based IP.

LAN Client - Same /24, .220 IP
WAN Port Forward forward IP - Same /24, .1 IP