OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: fbeye on July 11, 2023, 07:03:53 pm

Title: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: fbeye on July 11, 2023, 07:03:53 pm

I found an issue that concerns me, but maybe it is normal behavior that I am unaware of. I will explain it best I can.

WAN IP : x.x.x.182
   Network : 192.168.5.0
  Block of STATIC WAN IP's [ x.x.x.177 - x.x.x.182]

I have a Static NAT x.x.x.181 to 192.168.5.181. Remotely when I connect to it all works fine, I get redirected to correct LAN IP using correct WAN IP. Perfect. On 192.168.5.181 I have docker and run qbittorre-vpn. Connects fine all is perfect and I verify my VPN IP is correct. But, on 192.168.5.181 when I do 'whjatsmyip' I get x.x.x.182. So, incoming is fine but outgoing resolves to FW IP. Makes sense... So I make a rule that 192.168.5.181 to use GW x.x.x.181. I do 'whatsmyip' and awesome, shows x.x.x.181 as my WAN IP.
Now, the VPN Docker is aside from this. 192.168.5.181 as  a whole is not on the VPN, simply that Docker, so I SHOULD see x.x.x.181, not the VPN IP or x.x.x.182.
But, now that I made the lan out rule and check my qbittorrent-vpn, it shows BOTH VPN IP and x.x.x.181 IP as seeds/leech!!!! Somehow by making a rule for thae lan ip to out on it's correct wan ip, I have it open my vpn and wan ip as connections. How is this possible? If the qbit is running through the vpn, how could it possibly know about my real wan ip?

Title: Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: Patrick M. Hausen on July 11, 2023, 07:50:54 pm

Don't use a GW but an outbound NAT rule to make inbound and outbound match.

Title: Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: fbeye on July 11, 2023, 10:29:32 pm

Hello, I got rid of he GW setup..

I was wondering though, theoretically should outgoing also use the same as incoming [without any outgoing rule]  when 1:1 NAT is set up, or will outgoing always default to FW GW thus there will always need to be a NAT Outgoing, if I need the LAN IP to have the correct WAN IP?

Title: Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: Patrick M. Hausen on July 11, 2023, 10:30:51 pm

You always need an explicit outgoing NAT rule. The outgoing NAT does not care about any inbound rules and vice versa.

Title: Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: fbeye on July 11, 2023, 10:37:09 pm

Very interesting. I always ignorantly thought that to be the case. Thank you.
I wonder if my DNS or something has not updated cause I #1 deleted the LAN rules you mentioned but #2 have yet to do outbound NAT rule but my 192.168.5.181 still resolves to it's correct WAN x.x.x.181. I assume this should not be because as you say outbound cares nit about inbound. It has to be a cached or something.

Title: Re: Interesting "leak phenomina" when setting GW for a LAN IP for "out"
Post by: fbeye on July 12, 2023, 03:47:25 am

Well I am clearly doing something wrong.

Am I correct in thinking,  I do not mind letting everything I do on 192.168.5.180 use the VPN for WAN Address, but I can create an OUTBOUND NAT for Port 587 [email submission] that will bypass VPN and use the correct WAN x.x.x.180?


So there is better understanding;



    Interfaces: Virtual IPs: Settings:    x.x.x.181/24       WAN   IP Alias
    Firewall: NAT: One-to-One:             WAN    x.x.x.181    192.168.5.181    *     

With those 2 alone, my 192.168.5.181 works fine as it should. With VPN OFF it has incoming and outgoing on x.x.x.181. When I establish the VPN, incoming works fine outgoing does not, as it is clearly on the VPN IP, so what I did was;

   

    Firewall: NAT: Outbound:
           Interface WAN
           TCP/IP Version IPv4
           Protocol TCP (tried any as well)
           Source address - 192.168.5.181
          Translation/target - x.x.x.181

When monitoring the mail log, keeps getting connection refused.