Print Page - "WAN address" in Nat and Firewall rules not correctly evaluated

Title: "WAN address" in Nat and Firewall rules not correctly evaluated
Post by: ufoonline on November 28, 2024, 03:45:05 PM

Hi,

I'm looking to migrate from pfSense to OPNsense.
In my setup I've several public IP address and some NAT Rules to expose service to the public.

I've manually configured a brand new OPNSense (a 1:1 of the pfSense configuration) but when I went to switch the firewall, I've just discovered that "WAN address" get translated to the interface name instead of the interface IP and it's cause to uncorrectly evaluate the IP address.

I'll write down an example scenario to make it easier to understand:
WAN IP: 131.x.x.x.9/32
WAN IP Alias 1: 131.x.x.x.10/32
WAN IP Alias x: [...]
LAN IP: 10.0.0.10/24

Example of a NAT Rule:
Interface: WAN
Proto: TCP
From: any
Destination: WAN Address
Destination port range: 10131
Redirect target ip: 10.0.0.10
Redirect target port: 1991

That rule get translated to:

Code Select

- OPNSense:
    rdr on vtnet0 inet proto tcp from any to [b](vtnet0)[/b] port = 10131 -> 10.0.0.10 port 1991
- pfSense:
    rdr on vtnet0 inet proto tcp from any to [b]131.x.x.x.9[/b] port = 10131 -> 10.0.0.10 port 1991

Same applies to firewall rules.

Changing the written rule will cause different behaviour:
- OPNSense: The NAT rule will match all WAN IPs (WAN Address and IP aliases)
- pfSense: The NAT Rule will match only the WAN Address and not IP Aliases.

Has anyone experienced this problem? Am I doing something wrong?

Thanks,
Regards
p.s. I've tried to search on the forum about that issue, but I've found only unanswered threads on older versions.

Title: Re: "WAN address" in Nat and Firewall rules not correctly evaluated
Post by: Patrick M. Hausen on November 28, 2024, 03:58:51 PM

Quote from: ufoonline on November 28, 2024, 03:45:05 PM
Changing the written rule will cause different behaviour:
- OPNSense: The NAT rule will match all WAN IPs (WAN Address and IP aliases)
- pfSense: The NAT Rule will match only the WAN Address and not IP Aliases.

Has anyone experienced this problem? Am I doing something wrong?

Not a problem but working as intended. Create a manual alias to reference only a single address.

Different products, different semantics.

Title: Re: "WAN address" in Nat and Firewall rules not correctly evaluated
Post by: ufoonline on November 28, 2024, 05:02:26 PM

Thank you for your prompt reply.
I hadn't actually checked the manual (where it is clearly specified), but the use of the word in the singular can easily mislead ;)

Perhaps it would be a good idea to rename it to 'WAN Addresses'.

As usual, when you think something is trivial and should not be checked, Murphy is always there, just around the corner ;D 8)

OPNsense Forum

English Forums => General Discussion => Topic started by: ufoonline on November 28, 2024, 03:45:05 PM