I've lack of knowleadge about NAT reflection in pfSense

Hello guys,
I’ve heard about NAT reflection and this seems to be nice feature to implement in my network.

I’m using the other approach - split DNS, which is working fine for me, and I also know that, regarding best practices, this should be done in this way.

But why I need NAT reflection then?

Back in the days I was constantly thinking how to restrict the access to all “business critical infrastructure”. I set this is quotes because I’m doing all of these tests in my home, but I want to learn, and some day to do it in real business environment.

So, there are many ways to achieve such goal, for example:

  1. Use special VLAN, and IP address which are allowed to access these devices
  2. Assign special VLAN based on 802.1X
  3. Use PPPoE server to get some kind of virtual IP address
  4. Use same VPN which I use when connect from outside.

You may notice, some of these approaches have limitations/administration overhead.
For example, now I’m using the first approach, but I don’t like it, because I assigned this VLAN and IP to my desktop PC, but I’m using it for daily work, to browse Internet and so on, and yeah this is not good for security perspective. As far as I know the box I’m using for administration should have limited access to Internet, most of the time this box is refer as jumphost.

The second approach is good, but I should take care about this re-configuration of my network card, and ever time I need access to the infrastructure I need to preform this re-configuration.

PPPoE is good, but is not so secured, and I’m not sure how good it is supported on systems different than Windows.

And the last one, which I want to implement it because I need to be able to access the home network from outside, and I also now that, it supports modern security things like combination of user/password + certificates and 2FA, which is much better.

Here comes the question, I’ve tried to find some tutorial on the Internet but without success. I only need to setup OpenVPN server with user/pass authentication, SSL certificates and NAT reflection. When this is done, the easiest part is to allow only this VPN network on all infrastructure devices.

So, can you point me to the right direction?

If you are using the same system that you use for business also for mgmt why does it matter that you are on a VPN internally?

NAT reflection or “hairpinning” solves the issue of accessing hosted services on a network behind the firewall via a system also behind the firewall via the public IP.

I’m not sure what you think the connection between NAT reflection and network security is. NAT reflection exists because NAT exists, which in turn exists because of the IPv4 address space shortage. In a perfect world (i.e. a world where everyone uses IPv6) we wouldn’t need NAT because every IP address is routable on the internet. Network security is an entirely separate issue.

Say you have a set of local networks with internet-routable addresses (as with IPv6 for example) connected to your router (which also has firewall functionality), one is an intranet and one is a DMZ. Inside the DMZ, you have a bunch of servers. Additionaly, the router is connected to the internet:

When a node “A” on the internet wants to access a node “B” inside the DMZ, it can do so simply by using B’s IP address. What is more likely though, is that it will perform a DNS lookup for B’s domain name first in order to get B’s IP address. The router will eventually receive the packet because all hops in between know that B’s IP address is behind your router. The router will then route the packet into the DMZ.

When a client “C” from the intranet wants to access B, it can do the same thing as A did. This time, the router will receive the packet on its intranet interface, but will still know to route it into the DMZ.

Firewall rules (“security”) can and should be used at this stage to decide whether the router will indeed route the packets into the destination network (“pass”) or not (“drop” / “reject”).

Now say there is only one internet-routable IP address that is routed to your router (as opposed to one for each node in your local networks). Nodes in your local networks will have to be assigned private addresses. When B and C want to communicate with each other using their respective private IP addresses, the router can simply route the packets between the two networks. When they want to connect to the internet, the router could simply route the packets into the internet, however the receiver wouldn’t be able to send a reply because the source address of the packet (which the reply would be sent to) is not routable on the internet.

Therefore, the router has to perform NAT. Simplified, that means it will change the packet’s source address to its own, internet-routable address before sending it out its internet network interface. It will also change the source port number and log all that information in a state table, so when a reply comes back, the router knows which internal network to route it to. This type of nat is called “source NAT”.

In the opposite case, when A wants to connect to B, it has to address the router instead. There is no way for A to know B’s IP address (since it is private) and even if it did, intermediate hops on the route would not know where to find it. So again, the router has to perform NAT. But while the source NAT is usually done automatically (so that local nodes can always connect to the internet), in this case the router will only perform NAT when the incoming packets match a (user-)defined rule. This type of NAT is called “destination NAT”.

In pfSense at least, these rules will always be bound to a specific interface, in this example the internet network interface (otherwise called “WAN interface”).

Now, I stated above that when B and C want to communicate, they can do so using their private IP addresses and that statement still holds. But when domain names are used instead, C’s domain name must resolve differently based on where the lookup is made from. When looked up from the intranet or the DMZ, it must resolve to C’s private IP address. When looked up from the internet, it must resolve to the router’s public IP address. This is called “split-horizon DNS” or just “split DNS”.

But what happens when B does not resolve C’s domain name to its private address, but to the routers public address instead, same as a node on the internet would? In this case, the router would receive the packet and don’t know what to do with them because the NAT rule is bound to the WAN interface. However, the packet will be coming in from the intranet network interface, so the rule won’t match. This is (finally :sweat_smile:) where NAT reflection comes in. When NAT reflection is enabled and the router receives a packet on the DMZ or the intranet interface which has the router’s public IP address set as the destination, the packet will be treated as if it were coming in from the WAN interface. Therefore, the NAT rule will now match the packet and NAT will be performed.


To answer the question “why would you need NAT reflection” - in most cases you don’t - if you have split DNS set up. Split horizon is to be preferred over NAT reflection because when a packet originates in the DMZ and is destined for another node in the DMZ, it doesn’t have to leave the DMZ at all.

1 Like

From a learning point of view there are loads of things you can do with PfSense including all the points you are after

Mr Lawrence has videos on setting up OpenVPN, but you’ll need to also set up your certificates and security. In my case I include SSL/TLS + User Auth, I kinda hacked my way over 3 months to get my network to some kinda baseline.

I’d suggest looking at guides from VPN providers for hints.

Within PfSense there is a Wizard to setup OpenVPN have you tried that? Coupled with that vlans are handy, usually just follow the steps for your switch, again Mr Lawrence has a few videos on that topic too.

Your question while short is really broad to answer, and as usual there are always further tweaks required depending on the scenario.

Many thanks for your replay @paolo, actually you don’t need to be so detailed, but I really appreciate it.

The main reason I want to implement NAT reflection is that I want to use the same OpenVPN ip address network no matter I’m in the Internet or sitting on the LAN side. Why I need this? Because I don’t want to deal with VLAN’s, 802.1X and so on.

So let’s rephrase it, when I’m on the LAN side, the VPN will be used only to grant me access to the infrastructure. That’s all ;>

Sure you can setup OpenVPN to access your network on both the LAN and WAN on the same client connection. Though I’ve lost what your actual objective is, there might be another way of achieving it.