OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: woter324 on April 08, 2020, 12:17:08 am

Title: Converting Cisco NAT rules to OpnSense
Post by: woter324 on April 08, 2020, 12:17:08 am

Hi,

On my recently dead Cisco router, I had the NAT rule, thus:

ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip host 192.168.81.30 any

I'm trying to give OpnSense the same behaviour. I've tried both "Outbound" and "Port-forward" but I can't seem to get it to work. I'm not sure if it's something with the NAT rule or FW rule, however, the VLAN the local device (192.168.81.30) is on has an any-any in and out rule with logging enabled. I do not see any traffic hitting the rule.

Here's what I've tried:
Outbound NAT:

\|Interface	\|Source	\|Source Port	\|Destination	\|Destination Port	\|NAT Address	\|NAT Port	\|Static Port\|
\|WAN	\|192.168.81.30	\|*	\|*	\|*	\|WAN Address	\|*	\|No\|

Port Forward:

\|Interface	\|Proto	\|Source Address	\|Ports	\|Destination Port	\|Destination Address	\|Ports	\|NAT IP	\|Ports
\|WAN	\|-	\|*	\|*	\|*	\|*	\|*	\|192.168.81.30	\|*\|

I'm not 100% sure which type of NAT to use and whether the logging shows in the "Live View"

If anyone could offer some pointers, I'd be very grateful.

T.I.A

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: woter324 on April 08, 2020, 08:17:59 pm

Anyone, please? I am really struggling with this. I can't find any good examples...

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: shadesh on April 09, 2020, 08:39:36 am

Quote from: woter324 on April 08, 2020, 12:17:08 am

Hi,

On my recently dead Cisco router, I had the NAT rule, thus:
Code: [Select]
ip nat inside source list 101 interface Dialer0 overload ! access-list 101 permit ip host 192.168.81.30 any

Can you tell us if 192.168.81.30 is part of your current LAN and "Dialer0" is the WAN Interface on OPNSense? If so, you already should be covered by the Outbound NAT Mode

"Automatic outbound NAT rule generation
(no manual rules can be used)"

If not, you should first set it to

"Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)"

And generate a Outbound NAT Rule like you already did. Interface WAN (If this is your "Dialer0" Interface like on your Cisco). What you had on your Cisco was a "NAT Hide" Rule. This should work.

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: woter324 on April 09, 2020, 11:06:38 am

Hi Shadesh,

Thank you for replying.

192.168.81.30 is in a VLAN and is connected to the internal interface. Both on Cisco and OpnSense (igb0[LAN]).

I had OpnSense in Hybrid Outbound NAT mode. The device on 192.168.81.30 did not work, so I tried to add the rule mentioned above.

I read a very informative post about NAT'ing on pfSense https://blog.monstermuffin.org/pfsense-guide-nat-firewall-rules-networking-101/ (https://blog.monstermuffin.org/pfsense-guide-nat-firewall-rules-networking-101/) where I have now set it to manual mode. I've put in my rules so the VLANs can get out to the Internet, plus this rule. VLANs can access the internet, but the device on 192.168.81.30 does not connect.

For background information, this device is a femtocell (Vodafone Sure Signal). Part of the job of the device is to create a VPN tunnel back to Vodafone. For troubleshooting purposes, I have opened up the firewall with logging on, however, I cannot see any traffic pertaining to Vodafone's public IPs, pertinent ports or 192.168.81.30 in the logs, bar the DHCP request.

Thanks again.

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: shadesh on April 09, 2020, 01:10:14 pm

Is that Subnet (Where this single IP is part of) directly connected as VLAN or is it not part of any (V)LAN interface of the OPNSense? If so, maybe there is no route to reach this subnet (IP)? Can your OPNSense Box ping that IP Address? Normally you don't need manual NAT Rules for Subnets directly connected to the OPNSense. Can you post a screenshot of your NAT Rule Overview?

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: woter324 on April 09, 2020, 02:56:39 pm

Hi Shadesh,

It is part of a VLAN and I can ping it from the FW and from any other host on any other VLAN.

Are you saying that I should be using the Automatic NAT rule generation? The reason I've moved to manual NAT rules is that I will route everything through an anonymous VPN - eventually... and I was following the blog that I referenced earlier, however, to get this Sure Signal thing working, I'm happy to try Automatic - if that is what you are suggesting.

Screenshot attached.

Interestingly, I did something to lose all Internet connectivity. I've got it back now, but I've disabled the "Single Gateway. I thought that at least one gateway would be required. Is it not the same as the Cisco command `ip route 0.0.0.0 255.255.255.255 Dialer0`?

Thanks again.

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: shadesh on April 09, 2020, 04:17:12 pm

Is the Single IP NAT Rule on your Screenshot intentionally disabled?
Or was it only for testing purposes?

Title: Re: Converting Cisco NAT rules to OpnSense
Post by: woter324 on April 09, 2020, 04:30:33 pm

Hi Shadesh,

I created it to try and match that Cisco rule, but from what you're saying, I believe I shouldn't need it, so it's disabled for now.

Thanks