OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: sirio81 on May 05, 2018, 03:05:32 pm

Title: Problem with nat 1:1 reflection
Post by: sirio81 on May 05, 2018, 03:05:32 pm
Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)

(https://imgur.com/DZ28oZE)

I set nat reflection advanced options

(https://imgur.com/a4LSoz7)

I set a firewall rule on wan interface

(https://imgur.com/NsqSaIF)

The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?
Title: Re: Problem with nat 1:1 reflection
Post by: Animosity022 on May 05, 2018, 03:09:25 pm
I just set an override in Unbound DNS to the internal IP and don't worry about going out and back in.
Title: Re: Problem with nat 1:1 reflection
Post by: sirio81 on May 05, 2018, 07:16:40 pm
Unfortunately this is an option I can't take.
Title: Re: Problem with nat 1:1 reflection
Post by: Animosity022 on May 05, 2018, 10:02:48 pm
What's your rules look like? If you can share the

You can always configure Unbound to forward to a different DNS server if that's easier rather than having it resolve as well.
Title: Re: Problem with nat 1:1 reflection
Post by: sirio81 on May 07, 2018, 10:00:53 am
I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.
Title: Re: Problem with nat 1:1 reflection
Post by: Animosity022 on May 07, 2018, 12:45:43 pm
Can you share the firewall rules and the logs when you are trying to ping or connect to it?

I wasn't offering it as a work around but a simpler setup. I don't reflect because it's added complexity as to why would I want to direct to my firewall and back to an internal host. In my use case, I could reflect, but it's unneeded complexity so I just DNS override to the internal IP for that. For me, it's easier and less complex.
Title: Re: Problem with nat 1:1 reflection
Post by: sirio81 on May 08, 2018, 12:46:26 pm
Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.

Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:

from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass

(https://imgur.com/mKxxzYa)

traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
 1  webserver-jessie.domain.com (1.2.3.4)  0.425 ms  0.457 ms  0.479 ms
 2  webserver-jessie.domain.com (1.2.3.4)  1.689 ms  1.682 ms  1.697 ms

Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.