Project

General

Profile

Actions

Feature #13335

open

Allow NAT reflection to be limited to specific interfaces

Added by Chris Gelatt about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
NAT Reflection
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

I have a setup at home with a VLAN for guests, which doesn't have access to any internal resources. Because of this, I give DHCP clients on this VLAN my upstream DNS servers to use rather than my internal one.

However, this also means that my internal DNS entries for services which I also make available externally aren't available. I wouldn't really want them to be in any case, but clients receive the IP addresses that these FQDNs resolve to in the public DNS hosting I have. As such, they connect to my firewall for those entries, which, since they include port 443, means I need to use NAT reflection in order to allow them to access things I make publicly available.

I'd rather not have NAT reflection enabled everywhere and instead confine it only to the VLAN interface I created, but there doesn't seem to be a way to do that, currently.

Could this please be added as an option in a future release?

Actions #1

Updated by Marcos M about 1 month ago

The NAT reflection mode default can be kept as disabled, while enabling it per NAT rule. I suppose having the feature may be slightly beneficial in some edge cases, but I don't think it's worth implementing given the level of control that's already available.

Actions

Also available in: Atom PDF