OPNsense Forum

English Forums => High availability => Topic started by: fox-octi on October 25, 2021, 09:30:35 pm

Title: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: fox-octi on October 25, 2021, 09:30:35 pm

External Ip WAN1 Router (Intern: 192.168.2.1) Forward Port 2222 -->OpnSense (192.168.2.139) Port 2222 --> Linux SSH 22

External Ip WAN2 Router (Intern: 192.168.9.1) Forward Port 2222 -->OpnSense (192.168.9.30) Port 2222 --> Linux SSH 22

If Wan1 is active, the forward is working only on Wan1.
If Wan1 is not active, but still alive, it working only on Wan2 which is active at this moment.

I'am really sure, that the configuration is fine, but it is still not working. Can someone help?

Attached you will find my configuration. Hopefully i changed anything, which is credentials and so on.

best regards

chris

Title: Re: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: fox-octi on October 26, 2021, 10:26:57 am

Solution found:

Incomming Portforward Rule the packet have to be tagged. Aftwards you have to define a rule outgoing on the lan interface depends on the tag, on which gateway the reply should work.

Example:

    <rule>
      <protocol>tcp</protocol>
      <interface>wan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardGuido</descr>
      <tag>GUIDO</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>wanip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226835.6125</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.224</username>
        <time>1613770090.0138</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
   
    <rule>
      <protocol>tcp</protocol>
      <interface>opt1</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>SSHForwardRamon</descr>
      <tag>RAMON</tag>
      <tagged/>
      <poolopts/>
      <associated-rule-id>pass</associated-rule-id>
      <log>1</log>
      <target>Gitlab</target>
      <local-port>22</local-port>
      <source>
        <address>ExterneKundenFesteIPs</address>
      </source>
      <destination>
        <network>opt1ip</network>
        <port>2222</port>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635226643.7175</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1624425142.575</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>

<rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>RAMON</tagged>
      <statetype>keep state</statetype>
      <descr>RAMON-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>OPT1_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233677.4174</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.52</username>
        <time>1615028745.5929</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <tagged>GUIDO</tagged>
      <statetype>keep state</statetype>
      <descr>GUIDO-GW-Tagged-TCP-UDP-LAN</descr>
      <direction>out</direction>
      <reply-to>WAN_DHCP</reply-to>
      <quick>1</quick>
      <protocol>tcp/udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@172.16.222.30</username>
        <time>1635233713.586</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@172.16.222.30</username>
        <time>1635232485.8618</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
   

Title: Re: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: RalfOE on November 08, 2021, 09:42:13 am

Hi, I have the same issue.
Do I have to make the changes on CLI? Or to edit a backup and restore?
Where did you found that solution?
Thank you for your anser.
Best regards
Ralf

Title: Re: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: fox-octi on December 28, 2021, 04:15:30 pm

Hi,

the solution was found by testing :)
No Changes by the cli, and no restore was needed.

best regards

Chris

Title: Re: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: RalfOE on December 28, 2021, 06:01:20 pm

Hi Chris,
thank you for your answer, but I still don't know how and where I can configure this.
 :(
Ralf

Title: Re: Dual Wan and Portforward only working on active WAN (double Nat?)
Post by: RalfOE on December 30, 2021, 08:33:26 am

Thank you Chris for your support.
I think, we found the solution.
I will perform some tests and publish the results - next year ;)
Cheers
Ralf