Traffic when NAT "Reflection for port forwards" is enabled locks up opnsense

[berrydan]

I have a OPNsense installation running where I have internal traffic going to ports 80/443 of the public IP, which in turn goes to an nginx reverse proxy, then to a Jellyfin ("JF") server.  Yes, I could simply point the JF client to the internal JF server address, but for configuration simplicity's sake, I point the client to the public IP so tablets connect regardless if I'm internal/external to my LAN.

For this purpose, I have "Reflection for port forwards" enabled so internal traffic can hairpin out and in through the public IP.

<int. jf client:443> --> <public IP opnsense> --> <int. nginx revproxy:443> --> <int. jf server:8096>

When running in this configuration, traffic succeeds for as little as several seconds to as much as several minutes before the entire OPNsense firewall blocks/freezes traffic completely for everyone and everything. It's unpredictable how long it will take. Recovering necessitates that I power cycle the OPNsense firewall and reboot.

This was not happening prior to upgrading to 24.7, where I was running 24.1.

Public-facing traffic has no problem transitioning through OPNsense with the NAT configuration as it is. I've been forced to deactivate Reflection out of concerns that any amount of traffic could lock up OPNsense on me.

[jjrushford]

I'm running 24.7 with port forwarding to my internal apache WebDAV server.  My MacOS laptop users use the WebDAV server to mount a NAS share and they need to do that from wherever they are, on the local lan or when they're out and about.  The port forwarding from the public IP works fine and I have the NAT reflection with hairpin NAT working as well, it never causes my OPNsense server to lock up, it works fine.

Now with all that said, I've found that I really don't need the NAT reflection if I use split horizon DNS.  I'm with Cloudflare and I'm using DDNS to register my public IP with the CloudFlare DNS servers using www.mydomain.com.  Internally, I run unbound on my OPNsense box and I register www.mydomain.com there using the Internal private IP.  The OPNsense DHCP server tells everyone on the LAN to use the unbound DNS.  So, when the laptop users are on the LAN, www.mydomain.com points directly to the internal WeBDAV servers IP.  When they are out and about, www.mydomain.com points to the public IP which gets port forwarded to the internal WebDAV server.  This works fine and I really don't need the NAT reflection. 

[berrydan]

While your approach is interesting and I considered having split DNS, I feel that it's more problematic for administrating.

My chief concern is that there may be some form of memory leak going on, or perhaps some table that is filling up with records and then causing opnsense to get into an out-of-memory condition. WebDav doesn't generate as much packet traffic, unlike something like streaming video. Which in itself seems annoying, as the box my opnsense is running on has 16GB of RAM, so it's not exactly short on space.