core: NAT reflection doesn't appear to be working
Not sure if this is a bug or not. I’m running 19.7.5_5. So I have my XMPP server on an inside subnet, and I’ve got the port forward working…at least from the outside.
So outside my LAN, people can reach my chat server and authenticate using the DDNS I have setup. No issue there. However, from inside the LAN I can’t use the DDNS address. I have to specify the internal IP of the server to use the chat when I’m at home. I can only assume this has something to do with the port forwarding, but I’m not sure what it would be.
I don’t see anything in the live logs in terms of traffic being blocked or anything when I try to connect using the DDNS address. I can see the traffic being allowed, or at least it seems to be.
Inside Oct 16 18:07:36 192.168.50.71:62192 10.5.7.18:5222 tcp let out anything from firewall host itself Inside Oct 16 18:07:36 192.168.50.71:62192 10.5.7.18:5222 tcp
Not sure I know how to read the state table but I do see this
192.168.50.27:49436 -> 10.5.7.18:5222 SYN_SENT:CLOSED
I already have “Reflection for port forwards” and “Automatic outbound NAT for reflection” enabled. I also reset the state tables but no change.
Any help is appreciated. Thank you!
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 20 (7 by maintainers)
Has been testing NAT reflection on my env like this. I guess this is called double NAT which causes the issue.
WAN <> iptables <> opnsense <> LAN
Detailed working setting: go to
Firewall / Settings / Advanced
check these box(optional) go to
Firewall / Aliases
add new recordgo to
Firewall / NAT / Port Forward
add new recordHope this help
Firewall: Settings: Advanced Reflection for port forwards Y Automatic outbound NAT for Reflection Y
This setup works fine.
@VooPoc What you posted will not work It should be
Interface: LAN Source: LAN net Destination Address: WAN net Destination Port: Your server port Translation/target: Internal Server Address and Port
The rule says “If traffic from inside bound for the public ip/port is found, redirect that traffic to the internal host and port”
And yes - “NAT Reflection” on OPNsense is a dumpster fire. Better off just buildiongf manual rules.
Any update on this?