|
|
@ -87,17 +87,34 @@ System > Firmware > Plugins
|
|
|
|
---
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
<details>
|
|
|
|
<summary><h1>Port fowarding and NAT reflection(hairpin)</h1></summary>
|
|
|
|
<summary><h1>Port fowarding and NAT reflection(hairpin/loopback)</h1></summary>
|
|
|
|
|
|
|
|
|
|
|
|
[source](https://forum.opnsense.org/index.php?topic=8783.0)
|
|
|
|
[source](https://forum.opnsense.org/index.php?topic=8783.0)
|
|
|
|
|
|
|
|
|
|
|
|
### Firewall settings
|
|
|
|
### NAT reflection
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When you write `a.example.com` in to your browser,
|
|
|
|
|
|
|
|
you are asking a DNS server for an IP address.
|
|
|
|
|
|
|
|
When selfhosting that `a.example.com` it will give you your own public IP,
|
|
|
|
|
|
|
|
and most consumer routers don't allow this loopback, where your requests
|
|
|
|
|
|
|
|
should go out and then right back.<br>
|
|
|
|
|
|
|
|
So a solution for above-consumer-level routers/firewalls is to just have
|
|
|
|
|
|
|
|
checkboxes about NAT reflection, also called hairpin NAT or a NAT loopback.
|
|
|
|
|
|
|
|
|
|
|
|
`Firewall: Settings: Advanced`
|
|
|
|
`Firewall: Settings: Advanced`
|
|
|
|
- Reflection for port forwards: `Enabled`
|
|
|
|
- Reflection for port forwards: `Enabled`
|
|
|
|
- Reflection for 1:1: `Disabled`
|
|
|
|
- Reflection for 1:1: `Disabled`
|
|
|
|
- Automatic outbound NAT for Reflection: `Enabled`
|
|
|
|
- Automatic outbound NAT for Reflection: `Enabled`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Many consider NAT reflection a hack that should not be used or even allowed.<br>
|
|
|
|
|
|
|
|
That the correct way is split DNS, where you maintain DNS records so that
|
|
|
|
|
|
|
|
`a.example.com` points directly to some local 192.168.0.12 IP address.<br>
|
|
|
|
|
|
|
|
Reason being that since DNS records are cached, this way machines on LAN,
|
|
|
|
|
|
|
|
that use hostname to access each other, are not hitting the firewall with
|
|
|
|
|
|
|
|
every traffic that goes between two machines on LAN side.
|
|
|
|
|
|
|
|
But IMO in small scale selfhosted setup its perfectly fine and it requires
|
|
|
|
|
|
|
|
far less management.
|
|
|
|
|
|
|
|
|
|
|
|
### Port Forwarding:
|
|
|
|
### Port Forwarding:
|
|
|
|
|
|
|
|
|
|
|
|
a host with IP 192.168.1.200, with port 3100 open TCP<br>
|
|
|
|
a host with IP 192.168.1.200, with port 3100 open TCP<br>
|
|
|
|