Dealing with port forwarding for a laptop which may be WAN or LAN based.

[Koloa]

Hi,

I run an IMAP server on my LAN which I've got NAT -> port forwarding set up for on the WAN interface. Works fine, can reach the appropriate internal resource on the correct port as expected, whenever I'm attached to another network).

However, when I use my laptop on the LAN, my OPNsense is rewriting the response packets to the WAN IP to be from the LAN IP of the IMAP server.

This means that the laptop is trying to connect to 1.2.3.4:9003, but, the response packets are coming from 192.168.50.9:993.

This, rightfully, causes the LAN IPd laptop to reset the connection and try again.

To try to address this, I changed my NAT -> Port Forwarding rule so that it does NOT apply to the LAN Net (source invert).

Again, this continues to work just fine from outside of the network itself.  But when I'm attached to the LAN, it means that the packets to the WAN IP for the IMAP server are being completely dropped.

What is the right way to solve this?  I want my IMAP client to always be configured for the hostname of the WAN IP address, and the port I use (9003 in this example). 

I'm just not sure what forwarding/rules I need such that the OPNsense device will receive the traffic on it's LAN IP, with a destination of the WAN IP, and perform the port forwarding to the internal IP address and port, but NOT re-write the IP address of the IMAP server to be the LAN IP that it has.

I've tried just about everything I can think of for forwarding or rules, inbound and outbound, but, can't make this work when the laptop is on the same network as the IMAP server. 

Edit: I've tried with NAT reflection both enabled and disabled, doesn't seem to impact the situation I have.
Thanks!

[Koloa]

Solved - sort of.

Gave up trying to get this to work as it used to on an ASUS home router; likely part of how FreeBSD does things under the bonnet is more proscriptive, in a good way, and I'm fine with that.

My solution was to resort to a split DNS solution so that local hosts resolve the LAN IP of the IMAP server, but, external will stick to public WAN IP.

[marshalleq]

I feel that with all there issues in here with NAT reflection that either it is broken or needs an overhaul to make it make sense.  I too have this issue.  I want to use NAT reflection for my mail server because Split DNS is causing issues with my security certificates.  Basically the internal different IP keeps questioning me why the certificate has changed and blocks the traffic.

Hopefully someone at OpnSense will make it a priority after so many years of unanswered questions.