Pls Help NAT Reflection Hairpinning Loopback with iptables in ipfire

Hello all,

I am new to Ipfire and I am starting to get familiar with it.
I’ve tested pfsense, opnsense, sophos utm and XG, but only Ipfire was 100% compatible with my hardware used.
After testing and exprimenting with the firewall, I got stuck with NAT Loopback (Accessing a server that is connected to the local network through the public IP of the router). It seems that this is not supported out of the box by Ipfire. So I would like to accomplish this task using iptables.
I am aware of a solution where one can edit a host in Ipfire so that the local dns redirects to the local IP of the server. Unfortunately this solution is only a workaround. In fact it does not work when using different ports on public and local interface for the same service on the server.

As mentioned in the wiki I edited the firewall.local file and added the follwing two lines in the start area:

iptables -t nat -A CUSTOMPREROUTING -i green0 -s -d red0 -p tcp -m tcp --dport 443 -j DNAT --to-destination

iptables -t nat -A CUSTOMPOSTROUTING -o green0 -s -d -p tcp -m tcp --dport 443 -j SNAT --to-source

and for the stop section:

iptables -t nat -F $c
iptables -t nat -Z $c

In that way the packets sent to the server through his public IP (red0) should be adapted by Ipfire so that the they will be routed internally to the server’s local IP. (Server’s IP is, Ipfire is
Unfortunately I got for every try a DROP_FORWARD Entry in the Firewall log.
The default behavior of the firewall is set to block with few firewall allow rules from outside. Can someone please help me what extctly is needed to set in the firewall so that the above traffic (and only that one) will be allowed?

Thanks in advance.


please read the corresponding documentation before attempting to
solve a problem that is already solved for you.

You do not need to do any custom iptables vodoo, port forwarding is supported
out of the box by IPFire, as it is a very basic firewall requirement.

Thanks, and best regards,
Peter Müller

1 Like


sorry may be I missed something, but I could not find in the WUI the NAT-Reflection option.
If it is not available, the problem above is not as simple as you think it is.
I would be pleased if you could direct me to the right menu in the WUI.

Of course simple Port forwarding is supported by IPFire, which Firewall can’t do it?

NAT Reflection however is not supportet out of the box as discussed here, here, here, here and in other similar threads.

For a better understanding of the problem here is a very good explanation in Stackexchange:

Anyway, for future reference I got a solution for it:
In addition to the “iptables vodoo” above I added an additional Forward Rule: As source all other local IP’s except the server IP, selected SNAT with the external Red0 interface and as destination the local server IP.

This way I can configure all Apps using the DDNS Address, the connections will work inside and outside the LAN.


Hi all,

Peter I thought that reply was a bit harsh.

Yes IPFire does do reflection straight out of the box but there are plenty of things that break it easily overlooked or misunderstood.

For instance reflection on a vanilla flavour port forward NAT using the documentation link you supplied works fine SO LONG AS the source is any and you will be able to use the WAN facing IP to portforward from both RED and GREEN networks.

But for example say you try and filter source using GEO-IP then that breaks access from inside on GREEN because source IPs originating on green will be dropped by the GEO-IP source filter.

This was what I did for access to a server that was getting hit with brute force attacks, but it instantly broke internal access for us.

So I thought I could add an identical second rule but choose the source as GREEN. Job done.

But no, even though this is a legitimate routing configuration IPFIRE screens that and complains “Source and destination IP addresses are from the same subnet.” and won’t allow it.

I still haven’t found out how to work around this and set up via the gui rather than mucking about with iptables…

There are plenty of other configurations that ought to be allowed but are not, for example allowing or denying multiple GEO-IPs as source without having to configure a rule for every one of them.

So Tobias, in IPFIRE, Reflection is not configured separately, it just works, but only if you have a source of any.

Is that possibly your issue?