Troubleshooting NAT Reflection

NAT Reflection (NAT Reflection) is complex, and as such may not work in some advanced scenarios. The best practice is to use Split DNS instead (Split DNS) in most cases. However, NAT Reflection on current pfSense software releases works reasonably well for nearly all scenarios, and any problems are usually a configuration mistake. Ensure that it was enabled the right way, and make sure a large range of ports is not being forwarded unnecessarily.

NAT Reflection rules are also duplicated for each interface present in the system, so if a lot of port forwards and interfaces are in use, the number of reflectors can easily surpass the limits of the firewall. If this happens, an entry is printed in the system logs. Check the logs for any errors or information.

Web Access is Broken with NAT Reflection Enabled

If an improperly specified NAT Port Forward is present on the firewall, it can cause problems when NAT Reflection is enabled. The most common way this problem arises is with a local web server, and port 80 is forwarded there with an improperly specified External Address.

If NAT Reflection is enabled and the External Address is set to any , any connection made on the firewall comes up as the local web server. To fix this, edit the Port Forward for the offending port, and change External Address to Interface Address instead.

If an external address of any is required, then NAT Reflection will not work, and Split DNS must be used instead.