Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: Voix on October 18, 2024, 06:50:56 PM

Title: Source IP is always changing to OPNSense's interface
Post by: Voix on October 18, 2024, 06:50:56 PM
Hi all,

I have the opnsense v.24.7.6 with Internet, LAN and DMZ (with vlan) interfaces.
LAN IP: 10.1.1.0/24
DMZ IP: 10.1.2.0/24

When I reach out the server in DMZ with ssh and issue "w" command, it shows address of router's DMZ interface  (10.1.2.1), but not my computer's IP.

At the same time I have no NAT between these interfaces.
"Firewall: NAT: Outbound" is set to Hybrid outbound NA, but there are only rules for Internet interface.

Could you please advise, what could be the reason of the issue?
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Patrick M. Hausen on October 18, 2024, 06:52:19 PM
Do you have a gateway set on the DMZ interface? That would (IIRC) lead OPNsense to configure outbound NAT if automatic or hybrid is active.
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Voix on October 18, 2024, 06:55:22 PM
No, GWs are only in Internet and in tailscale interfaces.
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Patrick M. Hausen on October 18, 2024, 07:01:32 PM
You can use

Code Select
pfctl -s nat

to check what is actually in effect.
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Voix on October 18, 2024, 07:11:45 PM
vlan5 - Vlan on DMZ
vlan10 - To ISP (different port)
igc0 - LAN

Code Select

# pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on tailscale0 inet from <SiteAnet> to any -> (tailscale0:0) port 1024:65535
nat on vlan0.10 inet from <ocserv_clients> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from <SiteBnet> to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (igc0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (lo0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (wg0:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (vlan05:network) to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from 127.0.0.0/8 to any port = isakmp -> (vlan0.10:0) static-port
nat on vlan0.10 inet from (igc0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (lo0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (wg0:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from (vlan05:network) to any -> (vlan0.10:0) port 1024:65535
nat on vlan0.10 inet from 127.0.0.0/8 to any -> (vlan0.10:0) port 1024:65535
no rdr proto carp all
no rdr on igc0 proto tcp from any to (igc0) port = ssh
no rdr on igc0 proto tcp from any to (igc0) port = http
no rdr on igc0 proto tcp from any to (igc0) port = https
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all


I can't see smth fishy here
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Patrick M. Hausen on October 18, 2024, 07:14:24 PM
I don't know miniupnpd, honestly - try to disable it?
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Voix on October 18, 2024, 07:24:36 PM
Did it, the lines disappeared from the output above, but didn't help: still see RTR's IP by 'w'
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Patrick M. Hausen on October 18, 2024, 07:25:47 PM
tcpdump the connection on both interfaces and watch what happens.  :)
Title: Re: Source IP is always changing to OPNSense's interface
Post by: Voix on October 18, 2024, 07:39:54 PM
Thank you!

It actually helped to find the issue.
The problem was not in the OPNSense at all :)
Text only | Text with Images