Hairpin NAT not seeming to work (accessing external IP from inside network)

[thefunkygibbon]

Hi, new to opnsense, but not new to firewalls in general.

My situation is that I have a bunch of things I need to access using the external addresses.  This was working fine with my previous mesh system with basic port forwarding.

example

I have a single IP address which the modem gives to the WAN interface of my firewall ([home.domain.com](https://home.domain.com) in this example).

I have some nat/access rules to allow the traffic as per:

server is on [home.domain.com:1234](https://home.domain.com:1234)

nats to [192.168.0.1:80](https://192.168.0.1:80)

server is on [home.domain.com:2345](https://home.domain.com:2345)

firewall nats to [192.168.0.2:443](https://192.168.0.2:443)

and so on.

​

The NAT rules I've created work fine externally, I've put the interfaces to be both LAN and WAN and the auto created rule has created a 'floating' rule that seems correct.

I've enabled nat reflection too.  no dice.

​

I know I can create local DNS to get around it , but it only would work for the single IP address.

​

Any pointers?  I'm sure that Opnsense should be able to do this... but i am positive i must be doing something dumb.

​

Thanks in advance.

​

edit:

also if it is relevant i see this in the state tables

 all tcp  192.168.0.23:53368 86.11.11.1:10443 192.168.0.2:8123 CLOSED:SYN\_SENT 
 (192.168.0.23 is my device i'm testing from and the 86 IP is my obfuscated external IP and 192.168.0.2 is my server

[thefunkygibbon]

also, I've tested going down the dns route with internal dns resolving my url to be the internal address. but i still have issues with it getting a bit confused between being on the network and not. (ie when i fired up Home assistant, it said it couldn't connect (so clearly wasn't working properly despite being on the LAN for the last 12 hours) until i refreshed it and it was ok again. )

[slackadelic]

Did you look under Firewall -> Settings -> Advanced

Make sure that:

Reflection for port forwards   
Reflection for 1:1   
Automatic outbound NAT for Reflection

are all checked, see if that helps (NOTE: You may have to reboot the firewall for these to take affect)

[thefunkygibbon]

Thanks.
Yes Reflection is enabled for the port forward rule i created.
Not for 1:1 nat as i'm using portforwarding (only have 1 public IP) so nothing is in that tab at all.
Not sure where you mean with the automatic outbound nat for reflection.  I'm set to automatic outbound but there are no options for reflection there afaics

regards

[slackadelic]

Does this help?

https://prnt.sc/26wais9

[thefunkygibbon]

thanks. can you point me in the direction of where those tick boxes are in the ui?  thanks
:edit: found them, enabled them.  will test again.

[thefunkygibbon]

wow ok cool thank you. that looks like it has made it work.  not sure which though as i created refection enabled rule to start with. these settings just turn it on by default doesnt it?

[slackadelic]

If you read the descriptions of each of those options within the UI, it explains it much better than I. 

[HolgerKuehn]

What settings did this screenshot refer to?
I have the exact same issue, but the solution is unavailable due to deleted screenshot.

[mimugmail]

Nat reflection only works for networks directly attached to opnsense. Networks behind other systems needs manual nat