1:1 NAT reflection to replace splict DNS as solution to reach my own public servers from the LAN
-
Up to now I am using a Split DNS solution to reach my e.g. my public web server from the internal LAN.
However since DNS query's are more and more hidden in HTTPS, Split DNS solutions do not work any longer. So I need a different solution, which might simplify things as well.
What I would like to archive, is that if a destination IP equals my IPV4 Address (and maybe also one of my public IPV6-addresses), the internal generated traffic seems to be arriving from the internet.
I think a behavoir like this should be possible using:
option: System > Advanced on the Firewall & NAT Enable automatic outbound NAT for Reflection
I combination with some rules in "Firewall NAT1:1"The intention is that the FW threads the traffic completely like external traffic. Not completely true of course since routing should be from an to the internal device.
Has some one experiences with such a setup?
And what settings are exactly used? -
@louis2 enable that one setting but you don’t need 1:1. 1:1 is to forward all ports on the router and useful for a second public IP address and server or DMZ. Just enable reflection on the NAT rule for port 443.
-
Steve,
there are multiple ports involved.
- there is also an sftp-server
- mails server
- etc
The number of ports is limmited
When a packet is arriving via the WAN, the WAN has a couple of rules to allow / to block / to NAT.
I am also using HA-proxy (for a limmited no of ports, my original idea was to use HA-proxy for all involved ports, but that does not work I know now). -
@louis2 said in 1:1 NAT reflection to replace splict DNS as solution to reach my own public servers from the LAN:
However since DNS query's are more and more hidden in HTTPS, Split DNS solutions do not work any longer. So I need a different solution, which might simplify things as well.
You should better care, that the local devices use your local DNS instead.
Normally you can configure web browsers to not use DoH, but the system DNS resolver.
And for the hard cores, there are lists with DoH servers in the internet, which you can use to block it.option: System > Advanced on the Firewall & NAT Enable automatic outbound NAT for Reflection
I combination with some rules in "Firewall NAT1:1"This should also enable internal devices accessing your public IPs without additional NAT rules.
But remember, this is only NAT as well.When a packet is arriving via the WAN, the WAN has a couple of rules to allow / to block / to NAT.
When using NAT 1:1, you have to additionally configure the necessary firewall rules on WAN and on the internal interface. The NAT rules don't pass any traffic on their own.