Bug #11481
closed
NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat"
0%
Description
Description:
i notice that when using nat+proxy then nat reflection works but when using pure nat then it does not. it this working as design or is something else in place here? tried finding a already open ticket but i couldn't.
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Rejected
There isn't nearly enough information here and this site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Marcos M about 3 years ago
- Status changed from Rejected to Confirmed
- NAT Reflection mode for port forwards
- Enable NAT Reflection for 1:1 NAT
- Enable automatic outbound NAT for Reflection
- Port forward rule on WAN
- 1:1 rule on WAN
This results in the following rules:
igb0 = WAN; igb1 = LAN1; igb2 = LAN2
binat on igb0 from 10.1.1.4 to any -> 192.0.2.2
[...]
# NAT Inbound Redirects
rdr on igb0 inet proto { tcp udp } from any to 177.231.47.7 port 8080 -> 10.1.1.3
# Reflection redirect
rdr on { igb1 igb2 } inet proto { tcp udp } from any to 192.0.2.3 port 80 -> 10.1.1.3
# Reflection redirects and NAT for 1:1 mappings
rdr on { igb1 igb2 } from any to 192.0.2.2 -> 10.1.1.4 bitmask
no nat on igb1 from (igb1) to 10.1.1.4
nat on igb1 from 10.1.1.0/24 to 10.1.1.4 -> 10.1.1.1 port 1024:65535
Here, the nat rule should instead be the following to address traffic from other subnets:
nat on igb1 from { 10.1.1.0/24 10.2.2.0/24 } to 10.1.1.4 -> 10.1.1.1 port 1024:65535
And an additional nat rule should be added for the port forward:
nat on igb1 from { 10.1.1.0/24 10.2.2.0/24 } to 10.1.1.3 -> 10.1.1.1 port 1024:65535
Without these additional rules, accessing the public IP results in asymmetric routing.
Updated by Viktor Gurov about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from Confirmed to Pull Request Review
- Assignee set to Viktor Gurov
Updated by Steve Wheeler about 3 years ago
This looks to be fixed in 2.6/22.01 without this PR.
Outbound NAT rules are added as expected when NAT reflection is in PureNAT mode and 'Enable automatic outbound NAT for Reflection' is set:
# NAT Inbound Redirects
rdr on vtnet0 inet proto tcp from any to 172.21.16.22 port 222 -> 192.168.191.10 port 22
# Reflection redirect
rdr on { vtnet1 openvpn WireGuard } inet proto tcp from any to 172.21.16.22 port 222 -> 192.168.191.10 port 22
no nat on vtnet1 proto tcp from (vtnet1) to 192.168.191.10 port 22
nat on vtnet1 proto tcp from 192.168.191.0/24 to 192.168.191.10 port 22 -> 192.168.191.1 port 1024:65535
Tested:
2.6.0-DEVELOPMENT (amd64) built on Tue Oct 12 05:18:10 UTC 2021 FreeBSD 12.2-STABLE
Updated by Marcos M about 3 years ago
- Status changed from Pull Request Review to Closed
- Affected Version changed from 2.5.0 to 2.4.5-p1
Closing as it's not an issue on 22.01.