NeuroAgent

NAT Loopback in pfSense: Complete Solution

Solution for NAT loopback issue in pfSense. Configure NAT reflection and Split DNS for accessing websites from local Rostelekom network. Step-by-step guide and troubleshooting.

#firewall-settings#nat-loopback#nat-reflection#pfsense#rostelekom#split-dns

The website is not accessible from the local Rostelecom network when accessed through NAT and PPPoE. I have an external IP from Rostelecom, and a PPPoE connection is configured on my PfSense software router. The problem is that the website hosted behind NAT is accessible from any network except the local Rostelecom network in my city. From other Rostelecom cities, the website opens normally. It appears that users from the local Rostelecom network are trying to connect not through the external IP, but as if locally, which causes NAT not to redirect them to the web server. What router settings need to be configured to solve this problem?

NeuroAgent

NAT loopback (hairpin NAT) - NAT loopback (hairpin NAT) is a classic problem when devices on the same local network, as in your case, cannot access servers hosted behind NAT via an external IP address because traffic doesn’t go through proper routing. To solve this problem in pfSense, there are two main approaches: configuring NAT reflection or using Split DNS.

Contents

NAT loopback problem and its causes

NAT loopback (also known as hairpin NAT or NAT reflection) occurs when a device on the local network tries to connect to a server that is in the same network but uses an external IP address instead of an internal one.

In your case, the problem is that users from the Rostelecom local network in your city resolve the domain name to an IP address that can be:

  • The external IP address of your connection (if DNS resolves correctly)
  • Or the internal IP address of the server (if a local Rostelecom DNS server is used)

When a connection attempt is made through the external IP, pfSense should redirect (reflect) this traffic back to the internal network, but in some cases, this doesn’t work correctly.

Important: As noted in the pfSense documentation, NAT reflection is a kind of “hack” that forces traffic to go through the firewall when it’s technically unnecessary. Therefore, there are limitations in its implementation.

Solution 1: Configuring NAT Reflection/Hairpin NAT

NAT reflection allows internal devices to access servers through an external IP address. In pfSense, there are three NAT reflection modes:

  1. Use system default - uses system-wide global settings
  2. Enable - always enables NAT reflection for this rule
  3. Disable - disables NAT reflection

NAT reflection implementation options:

Method 1: Pure NAT

  • Uses only NAT rules in PF to redirect packets
  • Doesn’t work with UDP, only TCP
  • The source address of traffic from the server’s perspective is the firewall’s IP address

Method 2: NAT + Proxy

  • Works through a proxy server
  • Supports both TCP and UDP
  • Has limitations: ports above 500 are not supported

Method 3: Manual creation of reflection rules

  • Requires manual configuration of rules
  • More flexible but more complex to set up

Solution 2: Split DNS (recommended approach)

Split DNS is a more elegant and recommended solution for accessing local servers. The essence of this method is that:

Internal and external clients resolve the same domain name to different IP addresses:

  • Internal clients → internal IP of the server
  • External clients → external IP address

Advantages of Split DNS:

  • Preserves the client’s original IP address
  • Doesn’t force traffic to go through the firewall unnecessarily
  • Works with any protocols (TCP, UDP, ICMP)
  • Has no limitations on the number of ports

Step-by-step setup of NAT reflection in pfSense

Step 1: Enabling NAT reflection globally

  1. Go to SystemAdvanced
  2. In the Networking section, find NAT Reflection mode for port forwards
  3. Select Pure NAT (recommended for modern pfSense versions)
  4. Check Enable NAT Reflection
  5. Click Save

Step 2: Configuring port forwarding rule with reflection

  1. Go to FirewallNATPort Forward

  2. Create or edit a port forwarding rule for your web server

  3. In the NAT Reflection field, select:

    • Use system default (if configured globally)
    • Or Enable to force enable reflection

  4. Ensure the rule includes:

    • External interface (WAN)
    • External IP address
    • External port (80/443)
    • Internal IP address of your server
    • Internal port (80/443)

Step 3: Setting up Split DNS (alternative approach)

  1. Go to ServicesDNS Resolver
  2. In the Host Overrides section, add an entry:
    Domain: your_site.com
Domain Type: A
IP Address: internal_IP_of_server
Description: Local server access
  3. In the Forwarding section, configure:
    • Internal requests → internal DNS (resolver)
    • External requests → external DNS (ISP DNS)

Step 4: Checking firewall rules

Ensure you have appropriate firewall rules that allow access to your server:

  1. Go to FirewallRules
  2. Check rules for the LAN interface
  3. Add a rule allowing access to port 80/443 from internal IP addresses

Common problems and their solutions

Problem 1: NAT reflection doesn’t work

Possible causes:

  • Incorrect NAT reflection mode
  • Conflict with firewall rules
  • Port number limitations

Solution:

  1. Check NAT reflection settings in port forwarding rules
  2. Ensure firewall rules allow the traffic
  3. Try switching to NAT + Proxy or Pure NAT mode

Problem 2: Sites only open by IP but not by domain

Possible causes:

  • Incorrect DNS configuration
  • DNS caching on client devices

Solution:

  1. Set up Split DNS as described above
  2. Clear DNS cache on client devices
  3. Check domain name resolution using nslookup

Problem 3: Slow website performance from local network

Possible causes:

  • Additional traffic passing through the firewall
  • pfSense CPU load

Solution:

  1. Use Split DNS instead of NAT reflection
  2. Optimize firewall rules
  3. Consider using more powerful hardware

Problem 4: HTTPS certificate errors

Possible causes:

  • IP address mismatch in certificate
  • Issues with SNI (Server Name Indication)

Solution:

  1. Use a wildcard certificate for your domain
  2. Configure correct Host headers in port forwarding rules
  3. Consider using an ACME client for automatic certificate renewal

Conclusion and recommendations

  1. For your case with Rostelecom, it’s recommended to start with setting up Split DNS, as it’s a more reliable solution that doesn’t force traffic to go through the firewall unnecessarily.

  2. If Split DNS isn’t suitable, use NAT reflection in Pure NAT mode, which works better in modern pfSense versions and has fewer limitations.

  3. Always check firewall rules after setting up NAT reflection to ensure traffic is properly allowed.

  4. For complex scenarios with multiple WAN interfaces or VLANs, manual configuration of reflection rules may be required.

  5. Monitor performance of pfSense with active NAT reflection, as this creates additional load on the system.

The solution to your problem depends on the specific network configuration and requirements, but the approaches described should help ensure access to your servers from both local and external networks.

Sources

  1. NAT Reflection | pfSense Documentation
  2. Troubleshooting NAT Reflection | pfSense Documentation
  3. Accessing Port Forwards from Local Networks | pfSense Documentation
  4. pfSense: A Guide to NAT, Firewall Rules and some Networking 101
  5. NAT Reflection vs Split DNS Argument - Reddit
  6. Configure pfSense from LAN to WAN to LAN - Super User
  7. NAT loopback/hairpin mode between VLAN’s - Netgate Forum
How to check if NAT reflection is working in pfSense after configuration?Why is Split DNS preferred over NAT reflection in modern networks?How to configure NAT reflection for multiple servers in pfSense?What to do if the website opens only by IP but not by domain from the local network?What are the limitations of NAT reflection in pfSense and how to overcome them?How to configure hairpin NAT for VPN connections in pfSense?
Ask NeuroAgent