pfSense Port Forwarding and Synology NAS

I have an issue where I can only get to a VM running UNMS via a subdomain when I am outside of the network?

I only have one static IP so I have port 80 and 443 forwarded to a Synology NAS where I have set up a reverse proxy to look at the subdomain and forward to the correct internal client on the desired port.

My firewall is pfSense so I know I could use HA Proxy and as I am writing this, I am watching Lawrence’s video on HA Proxy but not sure why the above set up is not working. I have enabled PureNAT enabled on the Port Forward rule.

Has anyone got any ideas what could be the issue or have some ideas on how to fix this as I am sure it is a simple one as I can get to the login page of UNMS if I try to get to it from outside the network (i.e. via using the hotspot on my phone)


Under System > Advanced > Firewall & NAT > Network Address Translation there’s an option called “Enable automatic outbound NAT for Reflection”. Please try with this enabled. Also try both global NAT reflection options there, just to make sure.

Also, note that as an (in my opinion) better alternative to NAT reflection, you can use split-horizon DNS - if all webservers (namely, the proxy and the UNMS frontend) use ports 80 and 443. If you’re using pfSense’s DNS Resolver, simply add a Host Override at the bottom of the page:

Host: the subdomain (without the domain part)
Domain: the domain
IP address: IP address of the UNMS server

Hi Paolo,

Thank you, I did not have that setting enabled and now that I have enabled it, it works!

Split-horizon DNS looks really interesting and I will need to do some reading on this. Is this only for routing clients internally, this would not work route external requests so the proxy would still be required?

What are the advantages of split-horizon DNS as I am guessing you would disable NAT reflection?

Thanks again as you have saved me hours trying to work it out as I have only just upgraded from a UniFi USG as my firewall, so this has been a steep learning curve after switching.

Glad I was able to help.

Split-horizon DNS means that internal hosts resolve names differently than external hosts. By default, any client (internal and external) trying to connect to your internal service will resolve the domain to your firewall’s WAN address. Given that a d-NAT rule is in place, this works as-is for external clients, but as you’ve discovered, internal clients need NAT reflection.

However, if the internal client didn’t resolve the domain to the WAN address, but rather to the internal (“private”) IP of the server (which is on the same local network), then it could simply connect directly without leaving the broadcast domain and without the traffic going through the firewall. That’s what split-horizon DNS does.