Print Page - Routing while NAT port forwarding [Solved]

Title: Routing while NAT port forwarding [Solved]
Post by: Saarbremer on October 31, 2023, 05:04:37 PM

Hi,

I have an issue understanding something, however I must admit that my expectations might be wrong.

Test setup is:

OPNSense Box 1 (Router 1) has LAN 10.0.1.1/24, WAN is public ISP provided, static IP
OPNSense Box 2 (Router 2) has WAN 10.0.1.99 and LAN 10.0.64.1/24. Router2's WAN is in fact connected to the router 1's LAN network.
Router 1 does not know about 10.0.64.0/24, no route to that network configured.
Router 2 is configured statically on WAN and LAN, no DHCP Client involved on WAN. Configured 10.0.1.1 as default upstream gateway. Router 2 uses outbound NAT.

My Expectation 1: [passed]
TCP to public internet or services in Router 1's LAN are successful from Router 2's LAN. OPNsense outputs traffic to Router 1's LAN without the gatway via layer 2

My Expectation 2: [failed]
I can enable port forwarding on Router 2 to allow services from behind Router 2 to be exposed to Router 1's LAN.

So, I created a port forwarding and allowed an associated firewall rule. Observation: No access to exposed service via forwarded port from clients in Router 1's LAN 10.0.1.0/24.

Observing the live view in both OPNsenses it turned out that

first the client in 10.0.1.0/24 connects to the forwarded port and the traffic is forwarded correctly.
answers are sent to the default GW of Router 2, i.e. Router 1 which issues a state rule violation in live traffic view
After disabling the default GW, it works as expected, traffic goes directly back to the client via layer 2

I would have thought that the default GW should not be part of the equation no matter if I just use outbound NAT or port forwarding. The destination IP is in the WAN networks range and should not require a gateway. Did I miss something?

Title: Re: Routing while NAT port forwarding
Post by: Saarbremer on October 31, 2023, 05:06:29 PM

After additional digging I find the reason:

The IPv4 Upstream Gateway setting on the WAN interface page was set to the actual gateway instead of "Auto-Detect". Selecting Auto-Detect covered my use case completely.

Sorry for bothering.

Title: Re: Routing while NAT port forwarding [Solved]
Post by: Monviech (Cedrik) on October 31, 2023, 05:09:56 PM

That's because as soon as a gateway is set there is a reply-to created that forces all traffic to return to the IP of the default gateway.

https://forum.opnsense.org/index.php?topic=36406.0

Title: Re: Routing while NAT port forwarding [Solved]
Post by: WilliDriver on February 10, 2024, 10:22:09 PM

This was an accidental post, and i can't figure out how to delete it. I'm terribly sorry

OPNsense Forum

English Forums => General Discussion => Topic started by: Saarbremer on October 31, 2023, 05:04:37 PM