nat reflection

Forums Network Management ZeroShell nat reflection

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 39 total)
  • Author
  • #40642

    Hi, does anyone know if it is possible to set up NAT reflection rules with zeroshell (how ? ๐Ÿ˜€ )

    Also has anyone successfully abused this router ? i mean to the length of 50 new connections (or more) per second… how does it handle that?


    What do you mean with “NAT Reflection”?
    I found with Google that pfSense and m0n0wall have implemented this feature. I suppose that the NAT reflection looks like the Destination NAT with which Zeroshell implements the Virtual Server feature, but I am not sure. Please, correct me if I am wrong.



    yes, pfsense and monowall have those features, maybe they ended up naming it like that

    behaviour: when you are on the lan side and you try to make a connection to one of your wan ip’s … you will get squat…
    nat reflection fixes this, now i don’t really remember if zeroshell behaved like this or not…

    one thing though… even with this, the source ip of the connection is still your lan ip, this would be a pain in the a.. if you are hosting a bittorrent tracker ๐Ÿ™‚

    nonetheless it is still a good thing to be able to open for example, the webserver on your pc by opening http://wan.ip.wan.ip/ instead of http://localhost


    pfSense and m0n0wall uses ipfilter, zeroshell uses iptables, so you don’t need a workaround like them. You can use a rule like this one to get it working.

    iptables -t nat -A prerouting_rule -d WAN_IP -p tcp --dport 80 -j DNAT --to
    iptables -A forwarding_rule -p tcp --dport 80 -d -j ACCEPT
    iptables -t nat -A postrouting_rule -s -p tcp --dport 80 -d -j MASQUERADE

    All traffic on port 80 from LAN ( to WAN (WAN_IP) will be redirected to the internal webserver (


    yes of course you can do that if you know iptables.. it’s just a matter of checkbox versus 3 lines and years of using iptables. i’m sure you have time for it if you’re a net admin.


    This is standard in most linux firewalls. You just have to forward a port, and you’ll be able to reach the natted server through the WAN port. I have not installed zeroshell yet, but I think its time to do that now.


    Well, first things first, so: fluvio, thanks for this great product! I’ve been using zeroshell after trying both pfsense and monowall and this seems to be the best and most complete product for my needs.

    Now that the tanks are taken care of, I’m going to bring this topic back from the dead.

    NAT Reflection is one “feature” that allows you to access to servers behind PAT through your WAN ip. For example, you have a public name that has a public address… If you try to access this inside your local network, your packets are going to be directed to your firewall and don’t go through the WAN interface… So, if you have PAT defined with interface instead of the public ip, it doesn’t get done. I know that in beta11 we can define PAT through ip address but the previous scenario is especially necessary in cases where you have a dynamic public ip address…

    I’ve been exploring the guts of zeroshell and i think it can be done with two changes:
    1. Add the following line to the script router_patconfig: “iptables -t nat -A PREROUTING $IP -p $PROTOCOL –dport $LOCALPORT -j DNAT –to $REMOTEIP:$REMOTEPORT” where $IP=-d WAN_IP. This ip should be the WAN_IP address when it is defined to dhcp.
    2. Using the hooks of the dhclient-script, refresh the ip in the nat table whenever dhclient updates WAN_IP.

    Maybe step 2 can be the only one, I think the initial setup may be unnecessary…
    What do you think? Can this be done? If so, in time for beta12? If not, how do you recommend me to solve this problem? In my opinion this is very important, especially in SOHO market, where most companies keep the internet connection behind a dynamic IP…



    What is NAT Reflection?

    What exactly does it allow me to do?


    When configuring PAT, you have two options (at least in beta11 from what I read in this forums):
    1. Apply PAT rule to the WAN interface;
    2. Apply the PAT rule to the WAN IP.

    If you choose option 1, when inside the local network, if you try to access to the WAN IP, you connect directly to the firewall and not to the server you wanted, because your traffic doesn’t go through the WAN interface.

    Option 2 is only a real option if you have a static ip in your WAN interface. If you have a dynamic ip address, as the configuration for option 2 requires an IP address and you don’t know it, you can’t use it.

    NAT reflection is a feature of several other products that allows you to have the behaviour of option 2 when using option 1.
    In zeroshell you don’t have a possibility to configure that behaviour. Maybe a checkbox in option 1 could define a rule that did this through the hooks of dhcp (to refresh the rules on dhcp renewall)


    I am trying to do the same thing. I have dsl and static ips. I want to be able to reach my webserver with its domain name from within my lan.

    I am not sure if I followed this topic correctly, but has this been solved?

    Do I need to implement Borage’s solution?

    Any help would be very appreciated.



    If you have the latest release of zeroshell the problem (yours) is solved I think. Just configure PAT through IP instead of interface…

    For those with dynamic IP the problem remains unsolved…


    thanks thund3rman for the reply. Just one thing ๐Ÿ˜ณ , I don’t know what PAT is or where in zeroshell you configure it.

    Could you point me to it?

    thanks alot for your help.


    PAT = Port Address Translation (

    In zeroshell: router -> Virtual Servers
    One virtual server is one PAT entry in the firewall.

    Don’t forget to user IP instead of interface…


    thanks! Your the man!

    really appreciate the help


    Can I use PAT / Virtual Servers to forward all packets from a particular Interface or IP Address to another Zeroshell router on the other end of my VPN connection. I want to user the other Zeroshell router at the Internet Access.

    I tried forwarding port 80 through the VPN, but when I check IPCHICKEN.COM for the ISP IP Address being used, it showing source router ISP address.

    Is it possible, or is my though process completely incorrect?

    What am I missing?

Viewing 15 posts - 1 through 15 (of 39 total)
  • You must be logged in to reply to this topic.