1:1 NAT Reflection helper rules do not cover static route subnets
If you enable NAT reflection for 1:1 NAT and also the outbound NAT rules to assist 1:1 NAT, the resulting rules only cover the LAN subnet.
If you try to reach the public IP of a 1:1 NAT entry from a static route subnet, it doesn't work properly.
For example on a LAN of 192.168.66.x with a static route on LAN to 192.168.77.x the resulting rule for a 1:1 NAT targeting 192.168.66.5 is:
nat on em1 from 192.168.66.0/24 to 192.168.66.5 -> em1 port 1024:65535
But it should have one entry per subnet reachable on that interface, such as:
nat on em1 from 192.168.66.0/24 to 192.168.66.5 -> em1 port 1024:65535 nat on em1 from 192.168.77.0/24 to 192.168.66.5 -> em1 port 1024:65535
Updated by Erik Fonnesbeck over 9 years ago
It appears that this only happens when the gateway referenced by the static route is directly reachable (on the same subnet) by the NAT target. The target gets an ICMP redirect and caches the return route, bypassing the router on the reply. If the gateway to route to 192.168.77.x is not on 192.168.66.x, it routes fine without the extra NAT, since no route gets pushed for a gateway that is not directly reachable on its subnet.
Based on this, only the subnets for static routes whose gateway lies in the same subnet will need to be added to the nat line.