Allow NAT reflection to be limited to specific interfaces
I have a setup at home with a VLAN for guests, which doesn't have access to any internal resources. Because of this, I give DHCP clients on this VLAN my upstream DNS servers to use rather than my internal one.
However, this also means that my internal DNS entries for services which I also make available externally aren't available. I wouldn't really want them to be in any case, but clients receive the IP addresses that these FQDNs resolve to in the public DNS hosting I have. As such, they connect to my firewall for those entries, which, since they include port 443, means I need to use NAT reflection in order to allow them to access things I make publicly available.
I'd rather not have NAT reflection enabled everywhere and instead confine it only to the VLAN interface I created, but there doesn't seem to be a way to do that, currently.
Could this please be added as an option in a future release?
Updated by Marcos M over 1 year ago
The NAT reflection mode default can be kept as
disabled, while enabling it per NAT rule. I suppose having the feature may be slightly beneficial in some edge cases, but I don't think it's worth implementing given the level of control that's already available.