NAT Reflection / Hairpinning broken for WiFi clients after 26.1 upgrade

[PilaScat]

Hi everyone,

I've recently updated my OPNsense box to version 26.1 and performed the firewall migration. Since the update, I'm experiencing a strange issue with NAT Hairpinning (NAT Reflection).

The Issue: I can no longer access my locally hosted services from within my internal network using their public FQDN/WAN IP. However, there are some specific behaviors:

• Tunnels work: Services routed through Cloudflare Tunnels or Pangolin are reachable without issues.
• Ethernet works: My desktop PC, connected via Ethernet, can still reach local services via the WAN IP (Hairpinning seems to work here).
• WiFi is broken: Devices connected via my UniFi APs cannot reach local services. They can only access them when switching to mobile data (LTE/5G).

Current Configuration: Before the update, everything was working perfectly. My current NAT settings are:

Reflection for port forwards: Disabled

Reflection for 1:1: Disabled

Automatic outbound NAT for Reflection: Disabled

It seems like the NAT Reflection is not being applied correctly to the WiFi interface/VLAN after the migration, or there's a routing/DNS conflict introduced by the new version.

I am attaching screenshots of my Firewall settings.

Has anyone else experienced issues with NAT Reflection being restricted to specific interfaces after the 26.1 migration? Any advice on where to look would be greatly appreciated.

Thanks in advance!

[TheSHAD0W]

Wifi was broken in general for the 26.1 release. I'm surprised it was working for you. Try the latest update. You may need ot delete and reinstall the wifi.

[PilaScat]

Wifi was broken in general for the 26.1 release. I'm surprised it was working for you. Try the latest update. You may need ot delete and reinstall the wifi.

I'm not using the integrated wireless

[nero355]

• Ethernet works: My desktop PC, connected via Ethernet, can still reach local services via the WAN IP (Hairpinning seems to work here).
• WiFi is broken: Devices connected via my UniFi APs cannot reach local services.

NOFI, but there is something seriously wrong with your network setup if there is a difference between these two !!

"The connectivity experience" for those two should always be 100% identical unless you have got something configured differently for one of those two on purpose !!

Also consider not using any kind of NAT Loopback or Reverse NAT for this kind of setup.
Setting up domains correctly in combination with any Reverse Proxy software is IMHO the better solution.

/EDIT :

Or using IPv6 in general, ahh so nice no nat trickeries anymore. :)

+1 :)

[Monviech (Cedrik)]

Or using IPv6 in general, ahh so nice no nat trickeries anymore. :)

[Patrick M. Hausen]

Tricksy NATsesss ...

[ak888]

I have similar issue - to clarify my setup:

I have a local domain which is the same as my external domain. I run AGH and forwards to DNSMasq. I have a custom conf file in /usr/local/etc/dnsmasq.conf.d/custom-domain.conf with the contents

Code Select Expand

# Only answer for known hosts, forward unknown queries upstream
server=/mydomain.com/1.1.1.1
domain=mydomain.com
This use to work on the 25.7 series - but once I updated to 26.1 I cannot access any of the self hosted sites on from my LAN such as sub-domain.mydomain.com. I determined in was DNS by just running a nslookup on the URL's and getting no answer back.

Does your DNS resolve? Just reverted to 25.7 and all is well again (took a config backup - so was easy with the opnsense installer!)

I think the problem is the local domain flag works in the dnsmasq setting - I couldn't see that change in the generated dnsmasq.conf (what I think the setting is in the config file).