Multiple VLANs, Port Forwarding, NAT Reflection

Does anyone have any advise for firewall rule configuration when port forwarding with multiple VLANS? I’ve enabled NAT reflection but I still cant access the port when connected to the home network. There’s no double NAT situation. I followed the YouTube video showing how to configure the port forward settings. Seems like its probably a VLAN issue. This is for a camera system, so I’m open to suggestions of a different network configuration for the camera system that might avoid VLAN issues altogether.

I’ll probably end up using a VPN for camera access, but I want to understand why this isnt working.

Any help is appreciated, thank you.

Not entirely sure what you’re trying to achieve. Are you referring to accessing the web UI of your NVR?

I normally try to avoid NAT reflection as it means traffic will go through the router even if the destination is in the same network. This can lead to bottlenecks. Split-horizon DNS prevents this issue.

Port forwarding is probably the most common method used to view camera systems when a client is outside of their network. That has been achieved. The issues is when attempting to view the port forwarded cameras while on the network, NAT reflection is not working. I considered the split DNS solution but it seems to be equally difficult to setup, so I’m attempting to understand why NAT reflection isn’t working.

You said you have multiple VLANS, maybe NAT refelection isn’t the issue here… Did you set the appropriate firewall rules in order to allow traffic from your main network to the camera network?

I also doubt the NAT reflection settings are the issue here, they seem straightforward. I did intentionally set some rules to prevent traffic from passing between some VLANS, that’s definitely a possible source of the issue. Thank you for mentioning that, I had forgotten I set those rules, I’ll check on them.

If you can’t get it to work, and maybe even if you can, I would recommend using Split DNS. It’s the cleaner solution. NAT Loopback is a hack, actually even NAT itself is a hack, namely to work around the issue of not having enough IPv4 addresses… :wink:

See here: Network Address Translation — NAT Reflection | pfSense Documentation

Basically, you only have to do three things:

  1. make sure that the clients in the local network use the pfSense as their DNS server
  2. set the appropriate DNS host overrides
  3. set the appropriate firewall rules.

For reference this is what I have my NAT reflection set to. I’m able to hairpin to public services hosted within my same LAN, with the combination of proper NAT and firewall rules of course.

Also don’t forget to check the NAT rule itself, as reflection settings can be overriden on a per-rule basis.