Author Topic: Problem with nat 1:1 reflection (Read 5773 times)

sirio81 · « **on:** May 05, 2018, 03:05:32 pm »

Hi all, I have 2 webservers behind OPNsense 18.1.6-amd64:

(binat)
1.2.3.4 -> 192.168.6.38 (nat 1:1)
1.2.3.5 -> 192.168.6.37 (nat 1:1)

I set nat reflection advanced options

I set a firewall rule on wan interface

The servers are reachable from the internet but not from my internal LAN networks.
Nat reflection is working with other forwarded ports.
I'm probably missing firewall rule,

Any suggestion?

guest15389 · « **Reply #1 on:** May 05, 2018, 03:09:25 pm »

I just set an override in Unbound DNS to the internal IP and don't worry about going out and back in.

sirio81 · « **Reply #2 on:** May 05, 2018, 07:16:40 pm »

Unfortunately this is an option I can't take.

guest15389 · « **Reply #3 on:** May 05, 2018, 10:02:48 pm »

What's your rules look like? If you can share the

You can always configure Unbound to forward to a different DNS server if that's easier rather than having it resolve as well.

sirio81 · « **Reply #4 on:** May 07, 2018, 10:00:53 am »

I forgot to mention I'm using multi wan it that matters.
By the way, I'm not looking for work around but to find the way to make nat reflection works.

guest15389 · « **Reply #5 on:** May 07, 2018, 12:45:43 pm »

Can you share the firewall rules and the logs when you are trying to ping or connect to it?

I wasn't offering it as a work around but a simpler setup. I don't reflect because it's added complexity as to why would I want to direct to my firewall and back to an internal host. In my use case, I could reflect, but it's unneeded complexity so I just DNS override to the internal IP for that. For me, it's easier and less complex.

sirio81 · « **Reply #6 on:** May 08, 2018, 12:46:26 pm »

Hi Animosity022, I do agree that dns override is a better solution but consider to more webserver, hosthing 100 domains.
All these domains and all their record shall be overridden to be able to reach them from the internal netwrok.
That's why I'm opting for nat reflection.
If it was matter of few dns records, I wasn't going to use nat reflection.
I'm aware that this way the traffic goes through the firewall but there will be not many requests in my case.

Anyway, I made it work!
I have to lan netwroks: 192.168.2.0/24 and 192.168.3.0/24.
My LAN interface has ip 192.168.2.254 and the virtual ip 192.168.3.250.
They are the gw for the relative netwroks.
I added two rules on LAN interface:

from 192.168.2.0/24 to 192.168.6.0/24 pass
from 192.168.3.0/24 to 192.168.6.0/24 pass

traceroute www.domain.com
traceroute to www.domain.com (1.2.3.4), 30 hops max, 60 byte packets
1 webserver-jessie.domain.com (1.2.3.4) 0.425 ms 0.457 ms 0.479 ms
2 webserver-jessie.domain.com (1.2.3.4) 1.689 ms 1.682 ms 1.697 ms

Note: I was in doubt if it was necessary to disable the option "Block private networks" on the WAN interface but it isn't.

Author Topic: Problem with nat 1:1 reflection (Read 5773 times)

sirio81

Problem with nat 1:1 reflection

guest15389

Re: Problem with nat 1:1 reflection

sirio81

Re: Problem with nat 1:1 reflection

guest15389

Re: Problem with nat 1:1 reflection

sirio81

Re: Problem with nat 1:1 reflection

guest15389

Re: Problem with nat 1:1 reflection

sirio81

Re: Problem with nat 1:1 reflection