core: NAT reflection doesn't appear to be working

Not sure if this is a bug or not. I’m running 19.7.5_5. So I have my XMPP server on an inside subnet, and I’ve got the port forward working…at least from the outside.

So outside my LAN, people can reach my chat server and authenticate using the DDNS I have setup. No issue there. However, from inside the LAN I can’t use the DDNS address. I have to specify the internal IP of the server to use the chat when I’m at home. I can only assume this has something to do with the port forwarding, but I’m not sure what it would be.

I don’t see anything in the live logs in terms of traffic being blocked or anything when I try to connect using the DDNS address. I can see the traffic being allowed, or at least it seems to be.
Inside Oct 16 18:07:36 192.168.50.71:62192 10.5.7.18:5222 tcp let out anything from firewall host itself Inside Oct 16 18:07:36 192.168.50.71:62192 10.5.7.18:5222 tcp

Not sure I know how to read the state table but I do see this

192.168.50.27:49436 -> 10.5.7.18:5222 SYN_SENT:CLOSED

2019-10-16 15_20_31-Port Forward _ NAT _ Firewall _ Asgard-Wall localdomain 2019-10-16 15_21_00-INET _ Rules _ Firewall _ Asgard-Wall localdomain 2019-10-16 16_50_52-Jump List for File Explorer 2019-10-16 16_51_10-Start

I already have “Reflection for port forwards” and “Automatic outbound NAT for reflection” enabled. I also reset the state tables but no change.

Any help is appreciated. Thank you!

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 20 (7 by maintainers)

Most upvoted comments

Has been testing NAT reflection on my env like this. I guess this is called double NAT which causes the issue. WAN <> iptables <> opnsense <> LAN

Detailed working setting: go to Firewall / Settings / Advanced check these box

Reflection for port forwards Automatic outbound NAT for Reflection

(optional) go to Firewall / Aliases add new record

Name: WAN_IP Type: Host(s) Content: YOUR PUBLIC WAN IP

go to Firewall / NAT / Port Forward add new record

Interface: WAN TCP/IP Version: IPv4 Protocol: TCP Destination: use the above alias WAN_IP or type YOUR PUBLIC WAN IP Destination port range: depends on you setup Redirect target IP: internal LAN IP Redirect target port: depends on you setup NAT reflection: Enable

Hope this help

+3
devudopw on Apr 13, 2023

Firewall: Settings: Advanced Reflection for port forwards Y Automatic outbound NAT for Reflection Y

This setup works fine.

+1
fengchen-github on Nov 18, 2022

@VooPoc What you posted will not work It should be

Interface: LAN Source: LAN net Destination Address: WAN net Destination Port: Your server port Translation/target: Internal Server Address and Port

The rule says “If traffic from inside bound for the public ip/port is found, redirect that traffic to the internal host and port”

And yes - “NAT Reflection” on OPNsense is a dumpster fire. Better off just buildiongf manual rules.

+1
beananimal on Aug 5, 2020

Any update on this?

+1
brandonmreeves on Dec 3, 2019
Read more comments on GitHub
← core: NAT before IPsec is not functional
core: NAT reflection is broken →