OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • Nat reflection does not seem to work
« previous next »
  • Print
Pages: [1]

Author Topic: Nat reflection does not seem to work  (Read 2129 times)

Don.key

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Nat reflection does not seem to work
« on: June 30, 2020, 02:06:23 am »
Hi,

I have a 1:1 NAT setup for a server located on inside network, I also have a somewhat exotic requirement in that this very machine runs several processes that need to connect to it's public IP address. (This is a P2P network node that runs several processes).

I have enabled NAT reflection and it seems to make entries in pfctl -sn table:

Code: [Select]
rdr on cxl1_vlan80 inet from any to $PUB_IP -> $LOCAL_IP bitmask
Still, I am not able to open a simple SSH connection to my own public IP.

What could be wrong?

Thanks
« Last Edit: June 30, 2020, 09:44:26 am by Don.key »
Logged

sesquipedality

  • Newbie
  • *
  • Posts: 44
  • Karma: 4
    • View Profile
Re: Nat reflection does not seem to work
« Reply #1 on: June 30, 2020, 10:08:17 am »
If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.

I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.
Logged

Don.key

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Nat reflection does not seem to work
« Reply #2 on: June 30, 2020, 11:03:28 am »
Quote from: sesquipedality on June 30, 2020, 10:08:17 am
If you are using unbound on the opnsense router to serve DNS on your network, you can possibly avoid the need for NAT reflection by using a DNS alias instead.  Set it so that your public hostname resolves to your internal IP, and all should be well.

Unfortunately I cannot rely on DNS, the connection is done via IP bypassing normal DNS resolution.

Quote from: sesquipedality on June 30, 2020, 10:08:17 am
I tried and gave up with NAT reflection because I found it had too many odd side effects for my liking.  If the above solution doesn't work for you, then hopefully someone else will be able to assist.

That is what I am afraid of..  This is very essential for me.
Logged

Don.key

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Nat reflection does not seem to work
« Reply #3 on: June 30, 2020, 09:44:34 pm »
Just as an info for anyone who might run into similar issue:

It is technically impossible to reflect / redirect to a host on same interface that host is connected to, see man pf.conf:

Quote
Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.

Too bad. In my specific case I have no other option but to connect my host directly to internet, bypassing the firewalls.
« Last Edit: June 30, 2020, 10:21:09 pm by Don.key »
Logged

GaardenZwerch

  • Full Member
  • ***
  • Posts: 104
  • Karma: 2
    • View Profile
Re: Nat reflection does not seem to work
« Reply #4 on: July 02, 2020, 07:49:48 am »
Hi,
did you try these options?

Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • Nat reflection does not seem to work
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2