OPNsense Forum
English Forums => High availability => Topic started by: fox-octi on October 25, 2021, 09:30:35 pm
-
External Ip WAN1 Router (Intern: 192.168.2.1) Forward Port 2222 -->OpnSense (192.168.2.139) Port 2222 --> Linux SSH 22
External Ip WAN2 Router (Intern: 192.168.9.1) Forward Port 2222 -->OpnSense (192.168.9.30) Port 2222 --> Linux SSH 22
If Wan1 is active, the forward is working only on Wan1.
If Wan1 is not active, but still alive, it working only on Wan2 which is active at this moment.
I'am really sure, that the configuration is fine, but it is still not working. Can someone help?
Attached you will find my configuration. Hopefully i changed anything, which is credentials and so on.
best regards
chris
-
Solution found:
Incomming Portforward Rule the packet have to be tagged. Aftwards you have to define a rule outgoing on the lan interface depends on the tag, on which gateway the reply should work.
Example:
<rule>
<protocol>tcp</protocol>
<interface>wan</interface>
<category/>
<ipprotocol>inet</ipprotocol>
<descr>SSHForwardGuido</descr>
<tag>GUIDO</tag>
<tagged/>
<poolopts/>
<associated-rule-id>pass</associated-rule-id>
<log>1</log>
<target>Gitlab</target>
<local-port>22</local-port>
<source>
<address>ExterneKundenFesteIPs</address>
</source>
<destination>
<network>wanip</network>
<port>2222</port>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635226835.6125</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.224</username>
<time>1613770090.0138</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<protocol>tcp</protocol>
<interface>opt1</interface>
<category/>
<ipprotocol>inet</ipprotocol>
<descr>SSHForwardRamon</descr>
<tag>RAMON</tag>
<tagged/>
<poolopts/>
<associated-rule-id>pass</associated-rule-id>
<log>1</log>
<target>Gitlab</target>
<local-port>22</local-port>
<source>
<address>ExterneKundenFesteIPs</address>
</source>
<destination>
<network>opt1ip</network>
<port>2222</port>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635226643.7175</time>
<description>/firewall_nat_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.30</username>
<time>1624425142.575</time>
<description>/firewall_nat_edit.php made changes</description>
</created>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tagged>RAMON</tagged>
<statetype>keep state</statetype>
<descr>RAMON-GW-Tagged-TCP-UDP-LAN</descr>
<direction>out</direction>
<reply-to>OPT1_DHCP</reply-to>
<quick>1</quick>
<protocol>tcp/udp</protocol>
<source>
<any>1</any>
</source>
<destination>
<any>1</any>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635233677.4174</time>
<description>/firewall_rules_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.52</username>
<time>1615028745.5929</time>
<description>/firewall_rules_edit.php made changes</description>
</created>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tagged>GUIDO</tagged>
<statetype>keep state</statetype>
<descr>GUIDO-GW-Tagged-TCP-UDP-LAN</descr>
<direction>out</direction>
<reply-to>WAN_DHCP</reply-to>
<quick>1</quick>
<protocol>tcp/udp</protocol>
<source>
<any>1</any>
</source>
<destination>
<any>1</any>
</destination>
<updated>
<username>root@172.16.222.30</username>
<time>1635233713.586</time>
<description>/firewall_rules_edit.php made changes</description>
</updated>
<created>
<username>root@172.16.222.30</username>
<time>1635232485.8618</time>
<description>/firewall_rules_edit.php made changes</description>
</created>
</rule>
-
Hi, I have the same issue.
Do I have to make the changes on CLI? Or to edit a backup and restore?
Where did you found that solution?
Thank you for your anser.
Best regards
Ralf
-
Hi,
the solution was found by testing :)
No Changes by the cli, and no restore was needed.
best regards
Chris
-
Hi Chris,
thank you for your answer, but I still don't know how and where I can configure this.
:(
Ralf
-
Thank you Chris for your support.
I think, we found the solution.
I will perform some tests and publish the results - next year ;)
Cheers
Ralf