OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Chrzi on November 01, 2018, 08:37:56 pm

Title: [SOLVED] Routing problems between none NAT LAN and WAN
Post by: Chrzi on November 01, 2018, 08:37:56 pm

My current problem is that I can reach from my LAN the firewall and the firewall the internet, but not the LAN the internet.

I have two public /24 networks. In the end I want to split them into 4 /25 networks, as well with 3 NAT networks.

Current Setup is:
- LAN (129.13.170.0/25), allow from LAN Net to *
- LAN_NAT (192.168.1.0/24), allow from LAN_NAT Net to *
- WAN (129.13.170.253/32 with 129.13.170.254 as 'far gateway')

First thing would be to get the LAN to route to the GW. I think NAT I can get to work myself.


Seems like a simple problem, but I just can't get it to work.

Title: Re: Routing problems between none NAT LAN and WAN
Post by: kyferez on November 01, 2018, 09:51:49 pm

You can't use an out-of-scope Gateway. Gateways have to be within the subnet they are routing for, so the /32 is wrong.

Title: Re: Routing problems between none NAT LAN and WAN
Post by: Chrzi on November 01, 2018, 10:56:59 pm

With a 'far gateway' that is possible I think and if I ping from my firewall to 8.8.8.8 with my WAN (129.13.170.253/32) as source I get a reply

Next thing I can't route between a second non-NAT network (129.13.169.0/25) and the first one (129.13.170.0/25)

Title: Re: Routing problems between none NAT LAN and WAN
Post by: franco on November 02, 2018, 07:00:15 pm

Yes, far gateway works fine on IPv4. IPv6 not, but that is by design. Just FYI.


Cheers,
Franco

Title: Re: Routing problems between none NAT LAN and WAN
Post by: Chrzi on November 05, 2018, 12:52:01 pm

Yes the gateway isn't really the problem. I tried it also with the WAN as 129.13.170.253/27 then the 129.13.170.254 default gateway wouldn't be out of scope.

We currently don't use IPv6 at all.



So NAT onto the WAN address works just fine, as well as the communication between the LAN_NAT and the not natted LAN.

A quick capture with wireshark and a ping reveals that ICMP requests from my 169.0/25 LAN leave on the WAN Port and an Reply to the original IP address comes back.
And this is where the fun begins, the WAN interface seems to discard the packet. I disabled all packet filtering to make sure the firewall isn't doing it, same result. The packets don't even show up in the packet capture built-in, only the outgoing ones are recorded.

Title: Re: Routing problems between none NAT LAN and WAN
Post by: Chrzi on November 05, 2018, 02:34:17 pm

Answer was a missing ProxyARP.

The WAN interface did not answer for ARP requests for the internal LANs. Adding this under VirtualPs to the WAN interface and it worked.