1
General Discussion / NAT Reflection - Was working, not sure why it stopped.
« on: August 22, 2022, 06:14:08 pm »
Greetings.
I have a OPNSense Firewall with a single WAN. LAN port goes to a Layer 3 switch which is doing the routing between other networks.
To do this I have an extra Gateway defined for the Layer 3 Switch. Also, the Outbound NAT setting is set to Hybrid so I can manually enter rules for the extended networks.
You may ask "Why are you having the L3 Switch do the routing and not pass the VLANS to the OPNSense router?" Because I have a Content Filter sitting between the Switch and the Firewall, and it needs to see all the traffic. (This is for a K12 School network.)
So my network looks something like this:
Internet -> (WAN Port) OPNSense (LAN Port) -> Content Filter -> Layer3 switch -> Multiple VLANs with different IP Networks
That all works. But I needed to explain all that so I can ask about port forwarding and NAT reflection.
-------
I have some services that are internal servers but are reachable through my OPNSense firewall via port forwarding. This works perfectly outside my networks. It also did work from inside my networks as well via NAT reflection. But somehow, this stopped working.
I've tried many different settings to get this to work:
None of it is allowing internet computers to reach the resources via NAT reflection.
So, I've changed most of the settings back to defaults, as I don't want to be allowing the BOGON or private networks through the WAN if I don't have to.
So, I'm at a loss now of what I can try. I don't see any requests being blocked in the live logs when I attempt to reach those ports, so I don't think it's a firewall issue. Is there a log file somewhere else where I can see if the reflections are working? Or is there something simple I'm missing/forgetting?
Thanks for any support.
I have a OPNSense Firewall with a single WAN. LAN port goes to a Layer 3 switch which is doing the routing between other networks.
To do this I have an extra Gateway defined for the Layer 3 Switch. Also, the Outbound NAT setting is set to Hybrid so I can manually enter rules for the extended networks.
You may ask "Why are you having the L3 Switch do the routing and not pass the VLANS to the OPNSense router?" Because I have a Content Filter sitting between the Switch and the Firewall, and it needs to see all the traffic. (This is for a K12 School network.)
So my network looks something like this:
Internet -> (WAN Port) OPNSense (LAN Port) -> Content Filter -> Layer3 switch -> Multiple VLANs with different IP Networks
That all works. But I needed to explain all that so I can ask about port forwarding and NAT reflection.
-------
I have some services that are internal servers but are reachable through my OPNSense firewall via port forwarding. This works perfectly outside my networks. It also did work from inside my networks as well via NAT reflection. But somehow, this stopped working.
I've tried many different settings to get this to work:
- Global settings for NAT reflections for port forwards enabled and disabled
- Individual port forward settings for NAT reflection enabled and disabled
- Manually created WAN Firewall rules to allow ports through from any source
- Trying the "Allow Bogons" and/or "Allow Private Networks" Setting from WAN
None of it is allowing internet computers to reach the resources via NAT reflection.
So, I've changed most of the settings back to defaults, as I don't want to be allowing the BOGON or private networks through the WAN if I don't have to.
So, I'm at a loss now of what I can try. I don't see any requests being blocked in the live logs when I attempt to reach those ports, so I don't think it's a firewall issue. Is there a log file somewhere else where I can see if the reflections are working? Or is there something simple I'm missing/forgetting?
Thanks for any support.