From e0feeed4ec89180a14944d7620551b5c21f26715 Mon Sep 17 00:00:00 2001
From: DoTheEvo <dotheevo@gmail.com>
Date: Sat, 14 Jan 2023 10:35:33 +0100
Subject: [PATCH] update

---
 opnsense/readme.md | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/opnsense/readme.md b/opnsense/readme.md
index 169a7a9..549a5cc 100644
--- a/opnsense/readme.md
+++ b/opnsense/readme.md
@@ -87,17 +87,34 @@ System > Firmware > Plugins
 ---
 
 <details>
-<summary><h1>Port fowarding and NAT reflection(hairpin)</h1></summary>
+<summary><h1>Port fowarding and NAT reflection(hairpin/loopback)</h1></summary>
 
 [source](https://forum.opnsense.org/index.php?topic=8783.0)
 
-### Firewall settings
+### NAT reflection
+
+When you write `a.example.com` in to your browser,
+you are asking a DNS server for an IP address.
+When selfhosting that `a.example.com` it will give you your own public IP,
+and most consumer routers don't allow this loopback, where your requests
+should go out and then right back.<br>
+So a solution for above-consumer-level routers/firewalls is to just have 
+checkboxes about NAT reflection, also called hairpin NAT or a NAT loopback.
 
 `Firewall: Settings: Advanced`
 - Reflection for port forwards: `Enabled`
 - Reflection for 1:1: `Disabled`
 - Automatic outbound NAT for Reflection: `Enabled`
 
+Many consider NAT reflection a hack that should not be used or even allowed.<br>
+That the correct way is split DNS, where you maintain DNS records so that
+`a.example.com` points directly to some local 192.168.0.12 IP address.<br>
+Reason being that since DNS records are cached, this way machines on LAN,
+that use hostname to access each other, are not hitting the firewall with
+every traffic that goes between two machines on LAN side.
+But IMO in small scale selfhosted setup its perfectly fine and it requires
+far less management.
+
 ### Port Forwarding:
 
 a host with IP 192.168.1.200, with port 3100 open TCP<br>