Archives/opensense-docs
2
0
Fork 0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00
Code Issues Projects Releases Wiki Activity

Update nat_reflection.rst

Browse Source 
- Fixed VTI NAT description, referenced the tunables to make it work
This commit is contained in:
Monviech 2023-10-13 13:31:10 +02:00 committed by GitHub
parent bc8fa3b2ef
commit f9b8051fa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source/manual/how-tos/nat_reflection.rst
View File

@ -61,7 +61,8 @@ That's where Reflection NAT comes into play. It creates NAT rules which help you
* **Hairpin NAT:** The client and the server are in the same subnet (layer 2 broadcast domain). They can communicate directly with each other by resolving ARP requests. You need SNAT and DNAT. * **Hairpin NAT:** The client and the server are in the same subnet (layer 2 broadcast domain). They can communicate directly with each other by resolving ARP requests. You need SNAT and DNAT.
.. Note:: .. Note::
When using IPsec, NAT only matches on policy based VPN. NAT on VTI interfaces won't match. When using IPsec, by default NAT only matches on policy based VPN. NAT on VTI (Virtual Tunnel Interfaces) won't match unless some tunables are set. These tunables change the behavior of firewall filter and NAT on if_enc and if_ipsec interfaces. You can read more about the tunables in `IPsec VTI - Route based setup <https://docs.opnsense.org/manual/vpnet.html#route-based-vti>`_
------------- -------------
Best Practice Best Practice