Project

General

Profile

Actions

Bug #2042

open

NAT reflection doesn't apply to self-initiated traffic

Added by Anonymous almost 10 years ago. Updated 11 months ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
NAT Reflection
Target version:
-
Start date:
12/09/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Squid can't access hosts inside a DMZ with DMZ hosts accessible only via 1:1 NAT.

My config:
- 4 interfaces: WAN (bge1), LAN (bge0), DMZ (em0), GUEST (em1)
- DMZ subnet is private ips, using 1:1 NAT and IP Alias with reflection redirects to map incoming traffic from the other interfaces and from the internet onto my public webservers

rules from the rules.debug:
  1. Reflection redirects and NAT for 1:1 mappings
    rdr on { bge0 em0 em1 } from any to aaa.bbb.ccc.ddd -> 192.168.ccc.ddd bitmask
    no nat on em0 from em0 to 192.168.ccc.ddd
    nat on em0 from 192.168.ccc.ddd/27 to 192.168.ccc.ddd -> em0 port 1024:65535

I suppose adding the loopback interface (lo0?) to the "rdr on" rule would fix this issue.

A slightly longer version of this text can be found on the forum here: http://forum.pfsense.org/index.php/topic,43613.0.html

Best regards,
-Jan

Actions

Also available in: Atom PDF