Hi,
I have the following topology (simplified view):
Internet --- ISP router ---(WAN interface)--- opnSense Firewall ---(LAN interface)--- Router --- ...
|
DMZ
The "Router" is in charge of inter-vlan routing and filtering while the opnsense firewall is among other things, in charge of IDS/IPS.
On opnsense side: the IP of "LAN interface" is configured statically to 10.100.100.1/29. A rule (let's name it "rule_pass") is configured on "LAN interface" to "pass" all traffic having WAN as destination. And NAT is configured to "Automatic outbound NAT rule generation".
On the router's side: IP is configured to 10.100.100.2/29 and traffic allowed to reach the WAN (or DMZ) reaches "LAN interface"
Until now, the "Router" was configured to do SNAT. Everything was working fine except that in opnsense logs the src of all traffic coming from from "LAN interface" is logged with the IP 10.100.100.2, which is not readable nor useful when trying to find culprits. Therefore I wanted to remove SNAT on router side.
The problem is that when I disable SNAT on the router, I cannot access the firewall, nor the internet anymore. Opnsense webui is unreachable, ssh server is unreachable, I cannot ping the firewall anymore, everything seems to be blocked. There is no message in opnsense logs, nor in the logs of "router".
However if I turn on logging on "rule_pass", I see that the traffic coming from the router reaches correctly the firewall as I see now the IPs of all devices which trigger the "rule_pass" rule, including icmp pings, and not "10.100.100.2" anymore.
What am I missing / doing wrong ? Is it a NAT issue ? How can I debug this situation ?
Thank you in advance!
OPNsense needs static routes and outbound NAT rules for the subnets behind "Router", which you have to create manually.
Cheers
Maurice
@Maurice : thank you.
I understand that I have to do the following, is it correct ?
- create a "single" gateway for the "Lan interface" with IP address 10.100.100.2
- For each subnet behind router, create a route to the subnet through the created gateway
- Switch outbound NAT from automatic to hybrid
- add all subnets behind router to an alias "myalias"
- add an outbound NAT rule on interface WAN, with "myalias" as source, "Interface address" as "NAT address" and "static port"
Edit: it works, but is it the most optimal way to do it ?Edit 2: it does not work... :'(Edit: looks lke it works... erratically... will check tomorrow.
Translation target for the outbound NAT rule is "Interface address", static port shouldn't be required. Other than that, sounds good. 👍
Quote from: Maurice on September 21, 2023, 02:17:16 AM
Translation target for the outbound NAT rule is "Interface address", static port shouldn't be required. Other than that, sounds good. 👍
Ok it works thank you, I only have strange issues when adding routes/subnets I have to enable/disable the route to make it work.
Have a nice day!
Adding a static route only saves it to the persistent config. You then have to click "Apply" to update the active routing table.
And yes, this is pretty much the textbook way to do this.
Cheers
Maurice