6.8 KiB
OPNsense NAT Reflection Fix - Critical Configuration
Issue: Port forwards work from outside network but NOT from inside network, or SSL certificate generation fails with "JSONObject["responsetime"] not found"
Solution: Enable "Automatic outbound NAT for Reflection"
🎯 The Problem
When you have port forwards configured in OPNsense (e.g., port 80/443 → Nginx), you may encounter:
Symptoms:
- ✅ Port forwards work from OUTSIDE your network (mobile data)
- ❌ Port forwards DON'T work from INSIDE your network
- ❌ SSL certificate generation fails in Nginx Proxy Manager
- ❌ Can't access services using external domain from internal network
- ❌ Firewall logs show: "Default deny / state violation rule"
Root Cause:
NAT Reflection is not properly configured.
NAT Reflection allows devices on your internal network (LAN) to access internal services using the external IP address or domain name. Without it, traffic loops back incorrectly and gets blocked.
✅ The Fix: Enable Automatic Outbound NAT for Reflection
Step 1: Navigate to NAT Reflection Settings
-
Login to OPNsense: https://10.0.0.254
-
Navigate to: System > Settings > Advanced
-
Scroll to: Firewall & NAT section
Step 2: Enable NAT Reflection
- Configure these settings:
Reflection for port forwards:
● Enable (NAT + Proxy)
Reflection for 1:1:
● Enable (NAT + Proxy)
Automatic outbound NAT for Reflection:
☑ Enable automatic outbound NAT for Reflection ← THIS IS CRITICAL!
Reflection timeout: 2000 (default)
-
Click SAVE
-
Scroll to bottom and click "Apply Changes"
Step 3: Test Immediately
From INSIDE your network:
# Test accessing service via external domain
ping immish.hideawaygaming.com.au
# Should resolve to your public IP
# Test HTTP
curl -I http://immish.hideawaygaming.com.au
# Should return: HTTP/1.1 200 OK or 301 redirect
# Test in browser
https://immish.hideawaygaming.com.au
# Should show your service!
From OUTSIDE your network (mobile data):
- Should continue to work as before
📋 What This Setting Does
Without "Automatic outbound NAT for Reflection":
Internal Client (10.0.0.14)
|
| Request to: immish.hideawaygaming.com.au (120.156.234.95)
v
[OPNsense WAN]
|
| NAT forward: 443 → 10.0.0.55:443
v
[Nginx 10.0.0.55]
|
| Response to: 10.0.0.14 (direct, bypasses firewall)
v
[Client 10.0.0.14] ❌ BLOCKED - connection state mismatch!
Result: "Default deny / state violation rule"
With "Automatic outbound NAT for Reflection" ENABLED:
Internal Client (10.0.0.14)
|
| Request to: immish.hideawaygaming.com.au (120.156.234.95)
v
[OPNsense WAN]
|
| NAT forward: 443 → 10.0.0.55:443
| ALSO creates outbound NAT rule
v
[Nginx 10.0.0.55]
|
| Response goes BACK to OPNsense
v
[OPNsense]
|
| Translates back to original request
v
[Client 10.0.0.14] ✅ SUCCESS - connection states match!
Result: Traffic flows correctly!
🔧 Common Scenarios Where This Matters
1. SSL Certificate Generation in Nginx Proxy Manager
Without NAT Reflection:
- Let's Encrypt tries to verify domain
- Request goes to external IP
- Loops back through NAT
- Gets blocked by firewall
- Error: "JSONObject["responsetime"] not found"
With NAT Reflection:
- Let's Encrypt verification works
- Certificate generates successfully ✅
2. Internal Access to Services
Without NAT Reflection:
User types: https://plex.yourdomain.com
DNS resolves to: 203.x.x.x (public IP)
Request hits OPNsense WAN
Forwarded to Plex server
Response blocked ❌
With NAT Reflection:
User types: https://plex.yourdomain.com
DNS resolves to: 203.x.x.x (public IP)
Request hits OPNsense WAN
Forwarded to Plex server
Response properly NAT'd back
User sees Plex! ✅
📝 Quick Reference Card
╔═══════════════════════════════════════════════════════════╗
║ OPNsense NAT Reflection Quick Fix ║
╠═══════════════════════════════════════════════════════════╣
║ ║
║ Location: System > Settings > Advanced ║
║ Section: Firewall & NAT ║
║ ║
║ Settings: ║
║ Reflection for port forwards: Enable (NAT + Proxy) ║
║ Reflection for 1:1: Enable (NAT + Proxy) ║
║ ☑ Enable automatic outbound NAT for Reflection ║
║ ║
║ Purpose: ║
║ Allows internal devices to access services ║
║ using external IP/domain names ║
║ ║
║ Result: ║
║ ✅ Port forwards work from anywhere ║
║ ✅ SSL certificates generate successfully ║
║ ✅ Single URL works inside and outside network ║
║ ║
╚═══════════════════════════════════════════════════════════╝
🎯 Related Issues This Fixes
-
SSL Certificate Generation Failures
- Error: "JSONObject["responsetime"] not found"
- Error: "Connection timeout"
- Error: "Domain validation failed"
-
Firewall Blocking Internal Requests
- Log: "Default deny / state violation rule"
- Log: "Connection state mismatch"
- Traffic blocked even with port forwards configured
-
Services Not Accessible Internally
- External domain works from mobile data
- Same domain doesn't work from WiFi
- Different behavior inside vs outside network
-
Nginx Proxy Manager Issues
- Can't generate certificates
- Can't access proxied services internally
- 502 Bad Gateway from internal network
This setting is CRITICAL for proper port forwarding functionality in OPNsense!
Always enable "Automatic outbound NAT for Reflection" when using port forwards for services that need to be accessed both internally and externally.
Discovered By: jessikitty
Date: December 21, 2025
Tested On: OPNsense 25.1, Mac mini 2014
Location: System > Settings > Advanced > Firewall & NAT