nat reflection

Forums Network Management ZeroShell nat reflection

  • This topic is empty.
Viewing 15 posts - 16 through 30 (of 39 total)
  • Author
  • #45412

    I also have this issue, I tried to modify router_patconfig with the suggestion above, but it still doesn’t work.

    I think it would be just AWESOME if next to each virtual server you have a checkbox that says “Reflection” (or hairpin) and if you check it ZS will create the 2? extra iptables commands to allow access to the WAN ip port forwards from the internal range.



    Any news on this?

    Maybe it would be a good thing to run on dhcp time (after getting the ip) for solutions with dynamic ip address.


    If you access your internal server not with ip but with a simbolic name you can set simbolic name associated with internal ip in dns.

    example internal server you can create a A record with myserver

    Now if use simbolic name in broser you are connected to

    Also commercial router have this problem. For example zyxel.



    I’m about to release a patch to b11/b12 that will allow something like this. Watch for it soon.

    The default rules aren’t actually the ones you want, but it is a good start, they are easily modified.


    Any development on this patch you mention?


    Hi zevlag!

    Firstly – thanks very much again for your patch for the > 100 virtual servers – I don’t know what we would have done without it! Works a treat!

    We would also like a solution for this PAT / VS issue. I think it’s the same one – basically, we have an email server configured on a VS on a public IP which NATs through to a private VLAN – lets call it VLANA).

    The email server can send and receive email fine to all users / servers on the WAN interface (outside).

    However we have servers inside the firewall – say on VLANB that also need to be able to send email to this server – alas – it’s not possible.

    I have had to do a horrible ‘internal DNS / email domain’ fix which isn’t perfect.

    So I would really like to be able to achieve this ‘NAT Reflection’ functionality in our setup – as one person pointed out on this list – it works great in PFSense.

    I only need this on one or two VS’s so if it’s a line in a script somewhere that would also work.

    Cheers – hope you are well!



    Jeff could you post here the iptables rule? Most likely you will only need an iptables rule to avoid NAT when the connection is established to a client from VLANb.


    aha. I am working on this now!

    I have just added the following to the ‘NAT and Virtual Servers Script’ on a test system here:

    iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
    iptables -A FORWARD -p tcp --dport 80 -d -j ACCEPT
    iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

    WAN IP in my case in this test setup is LAN web server is

    This initially did not work – I did notice that it added the following line to POSTROUTING – this looked right and I thought it *should* work. Alas no.

    MASQUERADE tcp -- * * tcp dpt:80

    However – if I enable the LAN interface (ETH0) as NAT (move it from left to right in the NAT settings page) – then all of a sudden it works! Hurrah! The additional line added to POSTROUTING when enabling NAT on the LAN interface was:

    MASQUERADE all -- * ETH03

    I only had NAT enabled on the WAN interface – that just seemed to work fine and there was never a need to enable NAT on the LAN interfaces as well…..

    I then experimented – thinking perhaps I could remove the first two lines – but alas – this only works with all three lines – even if I already configured a Virtual Server to route traffic from WAN to LAN.

    So now I have this working in my test setup – I just have to take a deep breath and apply it to live. Adding NAT to ETH3 seems like a bit of a blunderbuss method – if someone has an idea of how to achieve a working solution without having to NAT everything on ETH3 -or can spot why this script isn’t working on its own – that would be my preferred solution I think.

    Nearly there with this anyway….



    You are not providing enough info for us to help you. How many and which are your WAN interfaces?
    I suppose you are doing PAT on your WAN link(s), is that correct?
    Now you want a server that resides in the INSIDE zone of the firewall to communicate with the mail server. Are these two in the same LAN or in different? If the latter applies what are the firewall rules for the intervlan communication?


    Oh dear – it would help, when asking for help – if I actually type in scripts correctly – it looks like I really cocked stuff up!

    For the sake of completeness (and hopefully clarity) here are the settings and (hopefully) correct resolution:

    Interface IPs on ZS Box:

    ETH0 = WAN Interface (
    ETH3 = VLAN A Interface (
    ETH3 = VLAN B Interface (

    LAN Server IPs

    Server A, VLAN A =
    Server B, VLAN B =

    This device is being used only for routing PAT / NAT as we have a transparent firewall device handling firewall stuff.

    The desired functionality is for Server A to have PAT from WAN, but also this should work for servers in the same subnet / VLAN as Server A (VLAN A) – *AND* also for Server B in VLAN B.

    SO. After finally figuring out that I just plain typed up the script totally **wrong**, the following script now works – with no NAT mods required – with just the following TWO lines:

    iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

    I am assuming therefore, if I wanted (as per the above example) Server B to be able to connect to Server A but using the PAT on ETH0/WAN interface – I would need to add a third line, for an extra POSTROUTING entry for Server Bs subnet? So the final rule would look like this:

    iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE
    iptables -t nat -A POSTROUTING -s -p tcp --dport 80 -d -j MASQUERADE

    This looks good to you guys?

    The reason why the first PREROUTING line is required, when there is already a Virtual Server entry set up to forward traffic from the WAN to Server A, is that this Virtual Server rule is set only to ETH0 as ‘in’ – which does not work for my case, as I am wanting the ‘in’ interface to also include traffic coming in from ETH3.

    Sure enough, if I remove the interface specific Virtual Server rule and re-add it, this time with the interface set as ‘ANY’ – the ‘NAT Reflection’ works with just the POSTROUTING entries only.



    Jeff what you want to do is pretty simple and I don’t understand why you have messed it with command line iptables.
    In ZS web gui go Network->Router->NAT and enable ETH00
    Network->Router->Virtual Server add a rule INPUT INTERFACE=ETH00, IP ADDRESS=ANY. PROTOCOL=TCP, LOCAL PORT=80, REMOTE IP=, REMOTE PORT=80 and click the + button.


    Thanks – but your GUI suggestion doesn’t seem right to me.

    Firstly, I already have NAT enabled on ETH0 in the GUI.
    Secondly, your virtual server suggestion would see all WAN IPs forward port 80 to the web server on the LAN. Although my example only has one IP interface on ETH0 – the live system actually has multiple IPs on the WAN interface. I didn’t mention this before – sorry.

    So it’s not as simple as you think, and certainly not possible via the GUI without POSTROUTING scripts – if it was – this thread would not have been started in the first place – would it? 😀



    Doesn’t make any difference Jeff. In the VS instead of




    Now only the desired IP address will be forwarded to the server you want for port 80. Is that what you wished?


    I’m raising a long dead thread here, so please point me to a correct thread if there is one.

    I just installed Zeroshell 1.0 v16 this week and I’m replacing a Snapgear SG300 with it — both are Linux-based firewall routers. I need to be able to access internal servers via their WAN IPs because the host names have to match in some cases, both for HTTP host headers and for SSL / TLS so the certificate names match the host names. Yes, I know for SSL I can use subject alternative names, but this will be a public-facing server and commercial SAN certs are pricey. Host headers are even more difficult to work around.

    Testing jeffrhyjones’ NAT startup script example… I have static IPs so this works perfectly for both internal and external access to my server via the WAN IP:

    iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to
    iptables -t nat -A POSTROUTING -s internal.ip.subnet.0/24 -p tcp --dport 80 -d -j MASQUERADE

    I also found that I didn’t need to specify a virtual server setting in the Router pages if I scripted this at post-startup.

    Having come away from Snapgear, I miss the luxury of point-and-drool router configs. The SG did this “NAT reflection” for me automatically. But this Zeroshell thread was for v12. Is there a setting I missed in v16 to enable this without having to script it?

    I did find that if I enabled NAT on my internal interface like one fellow did here, it works but the source IP looks like the router’s IP and any logging or access lists that depend on source IPs don’t work right at all.


    Has anyone been able to make this work with dynamic WAN addresses?

    I’d really like to continue using ZeroShell, but this would really be a killer for my application.

    I’d love to be able to use DNS, but I have different ports going to different hosts on the internal LAN, so that’s out.


Viewing 15 posts - 16 through 30 (of 39 total)
  • You must be logged in to reply to this topic.