OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Nat 1:1 and reflection from the same network
« previous next »
  • Print
Pages: [1]

Author Topic: Nat 1:1 and reflection from the same network  (Read 2800 times)

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Nat 1:1 and reflection from the same network
« on: May 11, 2018, 09:40:42 am »
Hi all, I already spoke about nat 1:1 and reflection in this topic but I have another specific problematic to solve.

Consider 3 lan netwroks:

192.168.2.0/24 (office pc)
192.168.3.0/24 (office pc)
192.168.6.0/24 (servers)

I have three servers on 192.168.6.0/24.
For each server I'm using nat 1:1

1.2.3.4 -> 192.168.6.38 (webserver)
1.2.3.5 -> 192.168.6.10 (mailserver 1)
1.2.3.6 -> 192.168.6.11 (mailserver 2)

192.168.6.38 is a webserver.
I've been adding a firewall rule on WAN interface, so that ports 80 and 443 can be reached from outside.
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass
doing so I'm able to reach my services from office networks.

The only thing that doesn't work is, for example, to contact port 80 from network 192.168.6.0/24.

From the webserver itself
Code: [Select]
nmap  -p 80 1.2.3.4 -Pn
PORT   STATE    SERVICE
80/tcp filtered http
From the webserver to a mailserver
Code: [Select]
nmap -p 25 1.2.3.5 -Pn

Starting Nmap 6.47 ( http://nmap.org ) at 2018-05-11 09:38 CEST
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39478 > 1.2.3.5:25 S ttl=59 id=47236 iplen=44  seq=707988922 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.2.3.5, 16) => Operation not permitted
Offending packet: TCP 192.168.6.38:39479 > 1.2.3.5:25 S ttl=40 id=38922 iplen=44  seq=707923387 win=1024 <mss 1460>
Nmap scan report for server.domain.com (1.2.3.5)
Host is up.
PORT   STATE    SERVICE
25/tcp filtered smtp
Suggestions?
Logged

sirio81

  • Newbie
  • *
  • Posts: 44
  • Karma: 5
    • View Profile
Re: Nat 1:1 and reflection from the same network
« Reply #1 on: May 15, 2018, 09:15:51 am »
Quote
I've been adding 2 rule on LAN interface:
  from 192.168.2.0/24 to 192.168.6.0/24 Pass
  from 192.168.3.0/24 to 192.168.6.0/24 Pass

I think this is symptom that nat reflection is not working.
It means the requests don't get masqueraded with the public ip.

I double check the concept of nat reflection on wikipedia:
Quote
The local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1

I forgot to mention my firewall is configured with multiwan.
I don't know if that may matter or not.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Nat 1:1 and reflection from the same network
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2