Project

General

Profile

Actions

Bug #11481

closed

NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat"

Added by aniel arias almost 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Viktor Gurov
Category:
NAT Reflection
Target version:
-
Start date:
02/20/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:
All

Description

Description:
i notice that when using nat+proxy then nat reflection works but when using pure nat then it does not. it this working as design or is something else in place here? tried finding a already open ticket but i couldn't.

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Rejected

There isn't nearly enough information here and this site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions #2

Updated by Marcos M about 3 years ago

  • Status changed from Rejected to Confirmed
I ran into this issue and was able to get more details. I tested this on both 2.4.5p1 and 21.05 with the following set:
  1. NAT Reflection mode for port forwards
  2. Enable NAT Reflection for 1:1 NAT
  3. Enable automatic outbound NAT for Reflection
  4. Port forward rule on WAN
  5. 1:1 rule on WAN

This results in the following rules:
igb0 = WAN; igb1 = LAN1; igb2 = LAN2

binat on igb0 from 10.1.1.4 to any -> 192.0.2.2
[...]
# NAT Inbound Redirects
rdr on igb0 inet proto { tcp udp } from any to 177.231.47.7 port 8080 -> 10.1.1.3
# Reflection redirect
rdr on { igb1 igb2 } inet proto { tcp udp } from any to 192.0.2.3 port 80 -> 10.1.1.3
# Reflection redirects and NAT for 1:1 mappings
rdr on { igb1 igb2 } from any to 192.0.2.2 -> 10.1.1.4 bitmask
no nat on igb1 from (igb1) to 10.1.1.4
nat on igb1 from 10.1.1.0/24 to 10.1.1.4 -> 10.1.1.1 port 1024:65535

Here, the nat rule should instead be the following to address traffic from other subnets:

nat on igb1 from { 10.1.1.0/24 10.2.2.0/24 } to 10.1.1.4 -> 10.1.1.1 port 1024:65535

And an additional nat rule should be added for the port forward:

nat on igb1 from { 10.1.1.0/24 10.2.2.0/24 } to 10.1.1.3 -> 10.1.1.1 port 1024:65535

Without these additional rules, accessing the public IP results in asymmetric routing.

Actions #4

Updated by Jim Pingle about 3 years ago

  • Status changed from Confirmed to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #5

Updated by Steve Wheeler about 3 years ago

This looks to be fixed in 2.6/22.01 without this PR.
Outbound NAT rules are added as expected when NAT reflection is in PureNAT mode and 'Enable automatic outbound NAT for Reflection' is set:

# NAT Inbound Redirects
rdr on vtnet0 inet proto tcp from any to 172.21.16.22 port 222 -> 192.168.191.10 port 22
# Reflection redirect
rdr on { vtnet1 openvpn WireGuard } inet proto tcp from any to 172.21.16.22 port 222 -> 192.168.191.10 port 22
no nat on vtnet1 proto tcp from (vtnet1) to 192.168.191.10 port 22
nat on vtnet1 proto tcp from 192.168.191.0/24 to 192.168.191.10 port 22 -> 192.168.191.1 port 1024:65535

Tested:

2.6.0-DEVELOPMENT (amd64)
built on Tue Oct 12 05:18:10 UTC 2021
FreeBSD 12.2-STABLE

Actions #6

Updated by Marcos M about 3 years ago

  • Status changed from Pull Request Review to Closed
  • Affected Version changed from 2.5.0 to 2.4.5-p1

Closing as it's not an issue on 22.01.

Actions

Also available in: Atom PDF