1:1 NAT Reflection doesn't work

Started by tomstephens89, January 20, 2020, 10:58:32 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 20, 2020, 10:58:32 AM
Hi all,

Have recently migrated one of our sites to OPNSense 19.7 from pfSense which I used for the past 5 years.

I have a web server on site hosting a demo with 1:1 NAT configured using one of the IP's in our public subnet.

I have all the NAT reflection boxes ticked however I cannot access the server via its public address from inside the network... The 1:1 NAT and firewall rule on the WAN work as expected, the server is accessible from the outside. However NAT reflection is not working.

This is a L3 switched environment with several VLAN's routed on the switch core. There is an uplink to OPNSense which then goes off to WAN. Static routes are all in place and everything works as expected, except NAT reflection.

Most client PC's are in 172.16.1.0/24 as is the server (172.16.1.183).

I did some googling and found others that have reported NAT reflection not functioning.

I know reflection  isn't a great idea, and internal clients should access internal resources via their internal addresses (so I could do a host override on local DNS forwarder) but NAT reflection is a feature on offer and should therefore work.

Any suggestions?
January 23, 2020, 08:12:19 AM #1
And 3 days with no reply indicates the lack of user base there is here.

Not to happy to say I'll be moving back to pfSense. But it was good to me for 6 years and probably shouldn't have fallen for the OPNSense charm anyway. At least basic things work as expected and you get responses on their forum within 3 days.
January 23, 2020, 08:47:24 AM #2
Maybe the amount of details in your original question wasn't sufficient for others to point you in the right direction (details often help), you never know.

Just ask yourself, how many people have you helped in the past 6 months that you where around on our forum? Community thrives by people willing to step up, help others by replying to forum posts (as many people do around here), write code,  submit documentation, etc, etc.

Feel free to come back any time you like,

Best regards,

Ad
January 27, 2020, 02:14:58 PM #3
Quote from: AdSchellevis on January 23, 2020, 08:47:24 AM
Maybe the amount of details in your original question wasn't sufficient for others to point you in the right direction (details often help), you never know.

Just ask yourself, how many people have you helped in the past 6 months that you where around on our forum? Community thrives by people willing to step up, help others by replying to forum posts (as many people do around here), write code,  submit documentation, etc, etc.

Feel free to come back any time you like,

Best regards,

Ad

I think the details in my original post were perfectly sufficient that anyone with input or rather, others with similar installs that might try to replicate the behaviour could do so.

I'll help anyone wherever I can, however until now my experience with OpnSense has only been in test phase. Now I am using it in anger and have found what seems to be a genuine problem, first point of call was google, followed by the question on here.

Its just disappointing that 7 days later, with a potential issue as sizeable as this, combined with the other reports of it that google threw up, that there hasn't been one genuine on topic response at all. I am rather disheartened by the amount of confidence in this project I have lost due to this issue, another one (IPSEC related) that I havn't mentioned, and also the lack of response.
January 27, 2020, 02:53:45 PM #4
Hi there,

> I think the details in my original post were perfectly sufficient that anyone with input or rather, others with similar installs that might try to replicate the behaviour could do so.

The problem I see is that you assume this to be true leaving out the lack of responses as an indication of this not being entirely true and then going on to say you solve it by reverting to a different software indicating to others that you are not interested in getting to the bottom of it.

Not everyone can or always will be helped in this community for any number complex reasons even when you are dealing with avid community volunteers of free software. Life gets in the way for all of us sometimes and there are no obligations to do so.

That being said, the words "does not work" in any message or issue report may be off-putting to start with.


Cheers,
Franco
January 28, 2020, 10:09:28 AM #5
Quote from: franco on January 27, 2020, 02:53:45 PM
Hi there,

> I think the details in my original post were perfectly sufficient that anyone with input or rather, others with similar installs that might try to replicate the behaviour could do so.

The problem I see is that you assume this to be true leaving out the lack of responses as an indication of this not being entirely true and then going on to say you solve it by reverting to a different software indicating to others that you are not interested in getting to the bottom of it.

Not everyone can or always will be helped in this community for any number complex reasons even when you are dealing with avid community volunteers of free software. Life gets in the way for all of us sometimes and there are no obligations to do so.

That being said, the words "does not work" in any message or issue report may be off-putting to start with.


Cheers,
Franco

Still.... here we are days and days later with not even a single bit of input or more questions. Or acknowledgement that there may be an issue, despite being reported by various people when I googled.

Fully aware its a community driven project.

Evidently not as active / not as big an install base as I thought.
January 28, 2020, 02:24:42 PM #6
You're still assuming the worst driving a narrative that doesn't help you. Maybe the community learned to deal with this by mere lack of response.


Cheers,
Franco
January 28, 2020, 04:02:12 PM #7
I agree with Ad and Franco - a post like "Is anybody using 1:1 NAT with reflection successfully?" may have had more responses.

The answer to that question is that NAT reflection works fine on all my 1:1 NAT rules:

Interface: WAN
Type: BINAT
External network: <public IP>
Source: Single host or Network
                   <internal IP>/32
NAT reflection: Enable

All else unticked

Bart...
January 28, 2020, 04:45:43 PM #8
Quote from: tomstephens89 on January 20, 2020, 10:58:32 AM
Hi all,

Have recently migrated one of our sites to OPNSense 19.7 from pfSense which I used for the past 5 years.

I have a web server on site hosting a demo with 1:1 NAT configured using one of the IP's in our public subnet.

I have all the NAT reflection boxes ticked however I cannot access the server via its public address from inside the network... The 1:1 NAT and firewall rule on the WAN work as expected, the server is accessible from the outside. However NAT reflection is not working.

This is a L3 switched environment with several VLAN's routed on the switch core. There is an uplink to OPNSense which then goes off to WAN. Static routes are all in place and everything works as expected, except NAT reflection.

Most client PC's are in 172.16.1.0/24 as is the server (172.16.1.183).

I did some googling and found others that have reported NAT reflection not functioning.

I know reflection  isn't a great idea, and internal clients should access internal resources via their internal addresses (so I could do a host override on local DNS forwarder) but NAT reflection is a feature on offer and should therefore work.

Any suggestions?

Autoreflection for Outbound rules are only for the same network where also the internal server sits, so when you have a different network with a L3 switch behind you have to create a manual outbound NAT rule:

Iface: LAN interface of internal server
Source: Your real client net
Destination: Your internal server
Translated interface: interface address (default)

This will do it ..
January 29, 2020, 03:02:27 PM #9
Quote from: mimugmail on January 28, 2020, 04:45:43 PM
Quote from: tomstephens89 on January 20, 2020, 10:58:32 AM
Hi all,

Have recently migrated one of our sites to OPNSense 19.7 from pfSense which I used for the past 5 years.

I have a web server on site hosting a demo with 1:1 NAT configured using one of the IP's in our public subnet.

I have all the NAT reflection boxes ticked however I cannot access the server via its public address from inside the network... The 1:1 NAT and firewall rule on the WAN work as expected, the server is accessible from the outside. However NAT reflection is not working.

This is a L3 switched environment with several VLAN's routed on the switch core. There is an uplink to OPNSense which then goes off to WAN. Static routes are all in place and everything works as expected, except NAT reflection.

Most client PC's are in 172.16.1.0/24 as is the server (172.16.1.183).

I did some googling and found others that have reported NAT reflection not functioning.

I know reflection  isn't a great idea, and internal clients should access internal resources via their internal addresses (so I could do a host override on local DNS forwarder) but NAT reflection is a feature on offer and should therefore work.

Any suggestions?

Autoreflection for Outbound rules are only for the same network where also the internal server sits, so when you have a different network with a L3 switch behind you have to create a manual outbound NAT rule:

Iface: LAN interface of internal server
Source: Your real client net
Destination: Your internal server
Translated interface: interface address (default)

This will do it ..

Perfect thanks!
Print
Go Up Pages1
User actions