Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: ajr on July 24, 2025, 08:58:57 PM

Title: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on July 24, 2025, 08:58:57 PM
Responses to outbound IP4 packets on WAN interface (igb1) of HA backup system are blocked.
Either because all private addresses are blocked.
If I allow private addresses on WAN interface, they are bolcked by state violation rule.

Why is no state created ?

Do I need a 2nd NAT rule, because the WAN VIP is not available at backup firewall ?

There is only one outbound NAT rule:
All source addresses are NATed.
Outbound NAT-address is the WAN VIP

Code Select
igb1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:0d:b9:4f:fd:a1
inet 192.168.178.12 netmask 0xffffff00 broadcast 192.168.178.255
inet 192.168.178.2 netmask 0xffffff00 broadcast 192.168.178.255 vhid 1
inet6 fe80::20d:b9ff:fe4f:fda1%igb1 prefixlen 64 scopeid 0x2
inet6 2003:cb:170c:9700:20d:b9ff:fe4f:fda1 prefixlen 64 autoconf pltime 1799 vltime 7200
inet6 fd77:8819:994b:0:20d:b9ff:fe4f:fda1 prefixlen 64 autoconf pltime 3600 vltime 7200
carp: BACKUP vhid 1 advbase 1 advskew 100
      peer 224.0.0.18 peer6 ff02::12
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


Ping to VDSL-Router (FB) shows:

root@opn2:~ # ping -S 192.168.178.12 192.168.178.1
PING 192.168.178.1 (192.168.178.1) from 192.168.178.12: 56 data bytes
^C

root@opn2:~ # tcpdump -nves 300 -i igb1 icmp
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 300 bytes
18:31:25.136468 00:0d:b9:4f:fd:a1 > cc:ce:1e:b3:75:7f, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 19554, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.178.2 > 192.168.178.1: ICMP echo request, id 17147, seq 0, length 64

root@opn2:~ # tcpdump -nves 300 -i pflog0 icmp
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot length 300 bytes
18:27:33.276553 rule 200/0(match): block in on igb1: (tos 0x0, ttl 63, id 56317, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.178.2 > 192.168.178.12: ICMP echo reply, id 49522, seq 6, length 64



Why seem responses come from the WAN VIP instead from FB ?

Which rules are needed to allow outgoing IP4 traffic of backup system ?

Current rules related to igb1 attached.

Please advice,
ajr
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: viragomann on July 24, 2025, 09:23:22 PM
What do your outbound NAT rules look like?
Did override its outbound behavior with a manual rule by any chance?
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on July 25, 2025, 12:06:17 AM
Quote from: viragomann on July 24, 2025, 09:23:22 PMWhat do your outbound NAT rules look like?
See atachment.
QuoteDid override its outbound behavior with a manual rule by any chance?
I'm not aware of any.

Do you want look at my complete rules set (per PM) ?

ajr
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on July 26, 2025, 02:29:43 PM
QuoteQuote from: viragomann on July 24, 2025, 09:23:22 PM
    What do your outbound NAT rules look like?

See atachment.
I seem to miss the attachment (still struggling with the formum GUI).
Here it comes.

ajr
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on August 17, 2025, 05:53:43 PM
Adding an alias to the WAN interface and using it as default route to the upstream gateway (FB) seems to work:

Code Select
ifconfig igb1 add alias 192.168.178.110/24
route add default 192.168.178.110 192.168.178.1

ping heise.de
64 bytes from 193.99.144.80: icmp_seq=0 ttl=248

Can this be done in the GUI ?

ajr
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on August 17, 2025, 06:21:48 PM
Forget it.
A 2nd default route from another IF address to the some gateway will not be added.

No trick to get the CARP backup device working on the backup system ?

ajr
Title: Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: viragomann on August 17, 2025, 06:38:31 PM
You have to nat outgoing traffic from OPNsense itself (127.0.0.0/8) to the WAN address.

All other traffic from networks behind has to be natted to the WAN VIP.
Title: [RESOLVED] Re: Outbound IP4 traffic blocked on WAN interface of backup system
Post by: ajr on September 07, 2025, 04:42:25 PM
Quote from: viragomann on August 17, 2025, 06:38:31 PMYou have to nat outgoing traffic from OPNsense itself (127.0.0.0/8) to the WAN address.

All other traffic from networks behind has to be natted to the WAN VIP.

Sorry, I did not try your proposal as of August 17 carefully.
Packets from the FW itself have the WAN address as source,
so I used that as filter:

Code Select
root@opn2:~ # pfctl -s nat
no nat proto carp all
nat on igb1 inet from ! <opn2_igb1_address> to any -> 192.168.178.2 port 1024:65535
nat on igb1 inet from <opn2_igb1_address> to any -> <opn2_igb1_address> port 1024:65535 round-robin
no rdr proto carp all
root@opn2:~ # ping heise.de
PING heise.de (193.99.144.80): 56 data bytes
64 bytes from 193.99.144.80: icmp_seq=0 ttl=249 time=7.748 ms
64 bytes from 193.99.144.80: icmp_seq=1 ttl=249 time=5.823 ms
So it's finally resolved.

Thanks a lot viragomann;
ajr
Text only | Text with Images