Bug #2163


1:1 NAT Reflection helper rules do not cover static route subnets

Added by Jim Pingle about 12 years ago. Updated over 11 years ago.

NAT Reflection
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


If you enable NAT reflection for 1:1 NAT and also the outbound NAT rules to assist 1:1 NAT, the resulting rules only cover the LAN subnet.

If you try to reach the public IP of a 1:1 NAT entry from a static route subnet, it doesn't work properly.

For example on a LAN of 192.168.66.x with a static route on LAN to 192.168.77.x the resulting rule for a 1:1 NAT targeting is:

nat on em1 from to -> em1 port 1024:65535

But it should have one entry per subnet reachable on that interface, such as:

nat on em1 from to -> em1 port 1024:65535
nat on em1 from to -> em1 port 1024:65535
Actions #1

Updated by Erik Fonnesbeck about 12 years ago

It appears that this only happens when the gateway referenced by the static route is directly reachable (on the same subnet) by the NAT target. The target gets an ICMP redirect and caches the return route, bypassing the router on the reply. If the gateway to route to 192.168.77.x is not on 192.168.66.x, it routes fine without the extra NAT, since no route gets pushed for a gateway that is not directly reachable on its subnet.

Based on this, only the subnets for static routes whose gateway lies in the same subnet will need to be added to the nat line.

Actions #2

Updated by Erik Fonnesbeck about 12 years ago

  • Status changed from New to Feedback

It should be good now with these two fixes and the one just before them for a separate related issue.

Actions #3

Updated by Jim Pingle over 11 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF