Hello,
Here is my network :
LAN 192.168.1.X <-----BOX OPNSENSE (Router) ------> WAN 100.64.32.138 <-----------> @Virtual IP : 45.84.XX.XXX
The rules (outbound) set up are (attached)
a Virtual ip is set up on the opnsense router 45.84.XX.XXX
I manage for all computers from the network to go on the internet without any problem
But I want to connect to web interface administration of opnsense from the outside and i don't manage to do it .
I tried to NAT 45.84 on the local (CNAT ?) IP of WAN (100.64.32.X) but it doesnt work (the outgoing connexion seems to output on the wrong port)
Can you help me ?
thanks
Quote from: vol714poursydney on March 30, 2021, 11:27:36 AM
But I want to connect to web interface administration of opnsense from the outside and i don't manage to do it .
You sould never make the GUI of your FW directly accesible from WAN!
Using CGNAT (
Carrier Grade NAT) there is no chance connecting via IPv4, as the name says:
NAT will be done by your carrier, not by your sense.
The only way to access your FW is by using your public IPv6. To be safe, create a VPN server on v6 WAN interface and use VPN to connect to your sense.
Hello
Yes I know. It was an example. In fact let me take another one : how can i do to configure a wireguard vpn on port 443 it doesnt work either
Are you sure there is no chance it works ? because before there was a microtik router with router OS and it was possible to forward ports and to connect from outside to local adresses (but since opnsense is not the same config)
I assume i have a carrier grade nat but in fact I don't really know if it is the case...
What do mean with "CNAT"? I assumed you mean carrier grade NAT.
Afaik there is no chance to to connect to services running behind CGNAT, also no chance for you to try with port forwards.
45.84.XX.XXX is the only one public adress, reachable from WAN. This IP is shared by lots of users.
/ 100.64.32.X (you)
45.84.XX.XXX (carrier) -- CGNAT
\ 100.64.32.n (the other ones)
Assume you try connect to 45.84.XX.XXX:443 ... where should your carrier route port 443 to? To you? To the other ones? He don´t know, but he have to know 'cause he is the only one who would be able to configure it.
Can´t image how this may have worked with your old router, without forwards done by your carrier.
Quote from: vol714poursydney on March 30, 2021, 12:15:31 PM
I assume i have a carrier grade nat but in fact I don't really know if it is the case...
You have CG-NAT. 100.64.32.x is a private address space
Thank you,
so is there any way to solve something ? with ipv6 ? how can i do ?
regards
You need one side with a public IP (if it'S not static you can use a DynDNS service ). Then you can establish a tunnel (ssh, openVPN, WireGuard, choose your weapon) and access you LAN behind the CGNAT. Or you find a better ISP that provides a public IP to your WAN.
Quote from: vol714poursydney on March 30, 2021, 02:39:04 PM
so is there any way to solve something ? with ipv6 ? how can i do ?
You need to set up IPv6 at least for your WAN interface.
Check this to do this: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html
Remember that your carrier may need other configurations. When successfully done, you will see a v6 adress allocated to your WAN interface. From this point other configurations (FW rules, ...) are similiar to IPv4, without needs of any forwardings (with IPv6 there is no need for NAT).
To set up e.g. an openvpn server, just configure it to WAN interface UDP6 and route your v4 LAN through VPN. Then there is no need of using v6 adresses, except for connecting to your VPN server.
NAT is not a liability, it's an asset from the security perspective. If you haven't done ipv6, the ipv6 way is asking for trouble...
Hello,
what seems strange is that the Opnsense I installed has replaced another router (under router OS) and on this one I managed to do port forwarding (i'm sure of it because I could connect from the outside to an internal lan adress on a web interface).
How can that be possible ?
to be more precise : when i attempt a connexion on @virtual ip : 443 i see the connexion incoming on the firewall log dont know if this helps
Quote from: vol714poursydney on March 30, 2021, 04:15:04 PM
Hello,
what seems strange is that the Opnsense I installed has replaced another router (under router OS) and on this one I managed to do port forwarding (i'm sure of it because I could connect from the outside to an internal lan adress on a web interface).
How can that be possible ?
to be more precise : when i attempt a connexion on @virtual ip : 443 i see the connexion incoming on the firewall log dont know if this helps
Are you trying from your Network or something like mobile network or so ?
From internet (another link)
Any idea ? 8)
Quote from: vol714poursydney on March 30, 2021, 04:15:04 PM
Hello,
what seems strange is that the Opnsense I installed has replaced another router (under router OS) and on this one I managed to do port forwarding (i'm sure of it because I could connect from the outside to an internal lan adress on a web interface).
How can that be possible ?
Did you by any chance have your ISP set up a NAT rule for you specifically?If not you then maybe some other firewall admin on your network might have had the ISP set up a NAT rule for your network. ISPs will do that "sometimes" -- but no guarantees that they will continue to.
Another option is that if you are trying to set up Peer-2-Peer VPN, you can have your client(behind a CGNAT) still call the server as long as the server is behind a public IP (v4 or v6).
Road-warrior style VPNs don't work with CGNAT unless you can have
- your ISP create NAT rules for you (unlikely and even if they do there's no guarantee that they won't suddenly switch it off)
- your ISP provides you with a public IPv6 address