Since 24.1.9 update, Reflection for 1:1 seems to not be working, prior my internal clients hitting the NAT address would get the correct server, now they are landing on the firewall. I.e. https lands on the opnsense login page instead of the box that I want and that was working previously.
This is for 1 to 1 NAT rules that im having issues with since the upgrade.
After update to 24.1.9 1:1 Nat outbound was not working anymore, the outbound rule over a specific ip was deleted.
How do you got this working again? Help very much appreciated :)
do you mean me? i recover the rules from a backup config file, for the outbound NAT.
Probably something to do with this:
o firewall: migrate one-to-one NAT to MVC/API
Yes I exactly also think, that this is the cause.
I also started a topic in the German forum. I restored a snapshot of my OPNsense (it runs within Proxmox).
I´m just curious what new rule is needed to get it working again with the new version.
see: https://forum.opnsense.org/index.php?topic=41119.0
Thanks, we will take a look now.
Cheers,
Franco
Thanks for investigating Franco. I will wait with any further update :)
Can someone with snapshot capability give me a diff of the good 24.1.8 and bad 24.1.9 file /tmp/rules.debug ?
# diff -u old.file new.file
Thanks,
Franco
This is most likely only a problem when using the automatic reflection options. When configuring manual NAT reflection for everything, I imply that the setup should remain non effected.
Example:
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#one-to-one-nat-reflection
If something has changed here with the new update, please ping me too so I can adjust this tutorial.
To me it looks like the "NAT reflection" for each rule got lost in the migration, so editing the rule to enable it should bring it back?
If that's the case we can't bring the lost setting back with a patch, but we can prevent this from happening to anyone else still on a version below 24.1.9.
Cheers,
Franco
I'll hotfix this later today.
https://github.com/opnsense/core/commit/324f5351
(no use applying this one, just for reference)
Hmm, more importantly this was omitted from the dialog...
https://github.com/opnsense/core/commit/bde656669
# onsense-patch bde656669
In order to set it back to what it was supposed to do.
Cheers,
Franco
can confirm this fixed my 1:1 NAT Reflection issues.
Quote from: franco on June 19, 2024, 02:45:48 PM
Hmm, more importantly this was omitted from the dialog...
https://github.com/opnsense/core/commit/bde656669
# onsense-patch bde656669
In order to set it back to what it was supposed to do.
Cheers,
Franco
Neat, thanks for confirming!
its this the same problem , why my 1:1 NAT outbound was deleted? only the rule for the 1:1 was deleted , the other nat outbound rules was not deleted.
No. And without the rule content it's impossible to say. Best to see what was in your backup WRT "onetoone" contents.
Cheers,
Franco
Quick feedback, because I tried the hotfix:
After applying the update I had again the problem, that IPv4 was not reachable.
I saw, that under 1:1 NAT the destination of my entry was not "any" anymore and was filled with the same IP like in source (which was also set before and is correct). This is not correct and the update set the wrong value for destination which wasn´t present before.
Additionally there is also a display error.
The external IP address is not shown in the overview of the 1:1 NAT-rules. You just see it, when you click the edit button of the corresponding 1:1 NAT-rule
In my opinion, the update should not change the destination value from "any" to the same IP-address like in source. And the external IP address should also be shown in the 1:1 NAT overview.
At the moment I don´t know if the hotfix really helped in my case. Maybe I could have reached the same result without the hotfix if I changed the settings before to the correct values. But this is speculation.
I just wanted you to give the feedback that the hotfix didn´t solve anything without touching.
Sounds like a different issue. Since we started with "NAT Reflection" this is what I focused on.
If you can let me have the System: Configuration: History diiff block for the migration I'll check out the issue you just mentioned. Best via franco AT opnsense DOT org
Quote from: franco on June 19, 2024, 11:14:36 AM
Can someone with snapshot capability give me a diff of the good 24.1.8 and bad 24.1.9 file /tmp/rules.debug ?
# diff -u old.file new.file
Just to plug this again... if someone wants to chime in because so far nobody did. It's hard to fix issues that are not properly traced.
Cheers,
Franco
Hey Franco,
just sent you two diffs to your provided mail address.
Sorry I was working during the day and I thought you already found the issue because you provided the hotfix. This was the reason why I didn´t send to you anymore.
I hope you find the reason.
I think it is this:
New:
<destination_net>any</destination_net>
Old:
- <destination>
- <any>1</any>
The syntax changed.
Apparently it's a baldy placed typo:
https://github.com/opnsense/core/commit/6cbd3ca15
I'll try to hotfix this and the external target column in the listing as well.
Cheers,
Franco
After intense testing with Franco I can confirm, that everything works with the hotfix 24.1.9_3
Hello
I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.
Basically, 'Internal' and 'Destination' were bearing the same thing.
I did the update from 24.1.8
I manually edited the entries with the correct destinations.
Regards
Quote from: smema79 on June 20, 2024, 11:13:37 AM
Hello
I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.
Basically, 'Internal' and 'Destination' were bearing the same thing.
I did the update from 24.1.8
I manually edited the entries with the correct destinations.
Regards
I did the same this morning and cannot confirm this behaviour with 24.1.9_3
Quote from: smema79 on June 20, 2024, 11:13:37 AM
I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.
Yes, this is expected when having landed in 24.1.9 or 24.1.9_1 unfortunately. 24.1.9_3 is out now and that works (coming from below 24.1.9).
Cheers,
Franco
Just upgraded from 24.1.8 to 24.1.9_4, and my 1:1 NAT config didn't migrate.
--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1719321616.8927.xml 2024-06-25 09:20:16.898912000 -0400
@@ -804,19 +804,6 @@
</created>
</rule>
</outbound>
- <onetoone>
- <disabled/>
- <external>**externalVIP**</external>
- <descr/>
- <interface>wan</interface>
- <ipprotocol>inet</ipprotocol>
- <source>
- <address>**internalIP**</address>
- </source>
- <destination>
- <any/>
- </destination>
- </onetoone>
</nat>
<filter>
<rule uuid="fca06965-4caf-41e4-992a-166d5b00e036">
@@ -2156,8 +2143,8 @@
</widgets>
<revision>
<username>(system)</username>
- <description>/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php made changes</description>
- <time>1716803141.3662</time>
+ <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+ <time>1719321616.8927</time>
</revision>
<OPNsense>
<IPsec version="1.0.1">
@@ -2383,10 +2370,11 @@
<Category version="1.0.0">
<categories/>
</Category>
- <Filter version="1.0.3">
+ <Filter version="1.0.4">
<rules/>
<snatrules/>
<npt/>
+ <onetoone/>
</Filter>
</Firewall>
<Netflow version="1.0.1">
Found my issue - the onetoone stanza in my config.xml was still in pfsense format from when I migrated last year. I toggled the disable box and saved, which made these changes:
--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1720538699.8016.xml 2024-07-09 11:24:59.854129000 -0400
@@ -805,16 +805,17 @@
</rule>
</outbound>
<onetoone>
- <disabled/>
<external>**externalVIP**</external>
+ <category/>
<descr/>
<interface>wan</interface>
- <ipprotocol>inet</ipprotocol>
+ <type>binat</type>
+ <disabled>1</disabled>
<source>
<address>**internalIP**</address>
</source>
<destination>
- <any/>
+ <any>1</any>
</destination>
</onetoone>
</nat>
Now that my onetoone config is in OPNsense format, the upgrade from 24.1.8 to 24.1.9_4 migrated the config successfully.
Hi Steve,
Ah ok that makes sense. The older code sometimes used empty XML strings are "true" values but our code moved to explicit "0"/"1" where we made considerable changes to the data model.
Empty string eval in PHP empty("") actually is "false" so that's why that was made.
Cheers,
Franco