pfSene, 1:1 NAT reflection

I’ve asked this on Netgate forums but decided to give it another shot here.

Now, i’ve done some fairly advanced things with pfSense so i don’t consider myself novice but this situation is driving me crazy.

A customer needed to replace a aging, and failing Checkpoint with something else and naturally with covid and work from home vpn licenses were a big issue so the path forward was pfSense. The setup is, well, both simple and complex, depending from where you’re starting. To sum it all up, the migration was a sucess and all works as expected except for one tiny thing, public DNS servers in DMZ.

Here the topology:
dmz dnsovlje

The problem is as follows… and please bear with me, I know there’s split DNS and i used it frequently but this is something i inherited so here I am.

Both DNS01 and 02 can’t talk to each other over their public IPs until I enable NAT reflection on both 1:1 mappings and enable outgoing nat for reflection, and that’s fine, I get that, so that’s enabled and now they both respond, well kind of, to queries. The problem starts when dns02 (slave) want’s to update it’s records from dns01 (master), it’s rejected - ok at least traffic flows.
Now it’s rejected because the master ( allows zone transfers to happen only from a public IP of slave which is ( and the bind log on the master says it rejected a zone transfer request from - naturally because the config says so.
So i see there’s NATin happening, also the pfctl -sn shows additional lines when you enable reflection and outgoing nat for it but it’s using a pfSense interface address for that particular VLAN, so VLAN50 on pfSense is

I can clearly edit the bind configuration to allow transfers from local IPs it’s just that apparently checkpoint handled it obviously differently and NATed it to public address.

Finally is this the intended pfSense implementation, to nat to it’s interface or am I missing some additional steps, like some more NATing of pfSense itself

p.s. I’m far from DNS security whiz so maybe somebody has an idea as to why are transfer limited to only public IP addresses?!

I’m trying to understand this solution better.

  1. Are these DNS servers Active Directory servers?
  2. Have their been any thoughts to having your clients/employees utilizing the pfsense box for OpenVPN server?

well, ti’s fairly standard WAN/LAN/DMZ segmentation of network, but LAN has no problems whatsoever only described DMZ section

no, those two are public nameservers (Centos with bind as dns) for external access to domain resources, like webs, smtp edge servers, exchange activesync and owa connectors and so on

employees do have openvpn access but that does not have anything to do with dns nameservers domain records transfer

Maybe this is what you are running into?

thanks but no, that’s a consumer router DMZ (but not really) analogy, or in essence forward all to internal host thing
anyhow the issue is resolved with the assistance of reddit

and to sum it up if anybody else comes with similar scenario:

Old checkpoint fw is bound neither to interfaces or direction, only source and destination, for all the rules, firewall and nat, so just 1:1 NAT on checkpoint did everything regardless of interfaces.

When i fully realized that and tsg-tsg mentioning 1:1 i added 1:1 on the specified VLAN interface and that’s is, and no reflection after that since that would again NAT everything to pfSense VLAN interface IP and stopped at dns01 named.conf because of allowed transfer hosts

anyhow this is pfctl exact rules
binat on bce3.40 inet from to →
binat on bce3.40 inet from to →