update
This commit is contained in:
parent
9cc3f9b536
commit
e0feeed4ec
|
@ -87,17 +87,34 @@ System > Firmware > Plugins
|
|||
---
|
||||
|
||||
<details>
|
||||
<summary><h1>Port fowarding and NAT reflection(hairpin)</h1></summary>
|
||||
<summary><h1>Port fowarding and NAT reflection(hairpin/loopback)</h1></summary>
|
||||
|
||||
[source](https://forum.opnsense.org/index.php?topic=8783.0)
|
||||
|
||||
### Firewall settings
|
||||
### NAT reflection
|
||||
|
||||
When you write `a.example.com` in to your browser,
|
||||
you are asking a DNS server for an IP address.
|
||||
When selfhosting that `a.example.com` it will give you your own public IP,
|
||||
and most consumer routers don't allow this loopback, where your requests
|
||||
should go out and then right back.<br>
|
||||
So a solution for above-consumer-level routers/firewalls is to just have
|
||||
checkboxes about NAT reflection, also called hairpin NAT or a NAT loopback.
|
||||
|
||||
`Firewall: Settings: Advanced`
|
||||
- Reflection for port forwards: `Enabled`
|
||||
- Reflection for 1:1: `Disabled`
|
||||
- Automatic outbound NAT for Reflection: `Enabled`
|
||||
|
||||
Many consider NAT reflection a hack that should not be used or even allowed.<br>
|
||||
That the correct way is split DNS, where you maintain DNS records so that
|
||||
`a.example.com` points directly to some local 192.168.0.12 IP address.<br>
|
||||
Reason being that since DNS records are cached, this way machines on LAN,
|
||||
that use hostname to access each other, are not hitting the firewall with
|
||||
every traffic that goes between two machines on LAN side.
|
||||
But IMO in small scale selfhosted setup its perfectly fine and it requires
|
||||
far less management.
|
||||
|
||||
### Port Forwarding:
|
||||
|
||||
a host with IP 192.168.1.200, with port 3100 open TCP<br>
|
||||
|
|
Loading…
Reference in New Issue