OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Zofoor on December 01, 2018, 02:47:59 pm

Title: (SOLVED) Problem with NAT configuration on virtual OPNsense
Post by: Zofoor on December 01, 2018, 02:47:59 pm
Hi all!
I'm new to OPNsense, and I am trying to make a network change to use it. Hope that somebody can give me a good hint to fix this issue, so that I can start using OPNsense...!

I have this network structure:
INTERNET - ROUTER (192.168.178.1, a Fritz!Box) - OPNsense (192.168.178.3) (virtual Host inside a FreeNAS server, binded to a NIC with ip 192.168.178.2) - LAN (192.168.91.0/24).

I am trying to configure some NAT rules, for example a NAT from wan port 443 to 192.168.91.216 port 443.

On the router I add the rules needed NAT rule, WAN port 443 to 192.168.178.3 (that is the WAN of the OPNsense virtual host).

Then, on OPNsense I add another new NAT from WAN of OPNsense to the final host 192.168.91.216
(https://i.ibb.co/vxnLJzm/image.png) (https://ibb.co/tMrYbCc)
and this creates automatically a new firewall rule (in Firewall: Rules: WAN):
(https://i.ibb.co/tptrPRM/image.png) (https://ibb.co/CKZGsL5).

Looking at the live-view of the log, I get
(https://i.ibb.co/wBnrNYs/image.png).

So, seems all OK but the page is not loading.

If I change the rule on the router to point another bare-metal firewall box (a Draytek router, with the NAT configured in the same way) then it works. So this means that the problem is not on the first router. The final host has it's firewall disabled, to avoid troubles on the end point.

So I think that the problems could be:
- something is configured wrong on the FreeNAS server and this does not make OPNsense work properly. Seems strange to me becouse there aren't many things to configure there.
- there is something configured wrong on OPNsense that does not make it working, perhaps an option that I didn't cared but is needed. Perhaps the problem is that the WAN interface of OPNsense is a private ip?

Any hint? :)
Title: Re: Problem with NAT configuration on virtual OPNsense
Post by: Zofoor on December 01, 2018, 03:06:26 pm
I add a little info that I have found, but could help.

If, from a computer on the LAN behind OPNsense, I go to https://192.168.178.3/ (that is the WAN ip of OPNsense), then it works.

EDIT:
from a phone connected to the Wifi of the router (192.168.178.1) I cannot access https://192.168.178.3/.

So seems that the NAT rule works only if the connection comes from the LAN interface of OPNsense, but does not work if it comes from the WAN interface.

(https://i.ibb.co/rQ6bTDL/image.png) (https://ibb.co/PrhT3qb)
From the LOG I see an effor for 192.168.178.2, that is the IP of the real nic that is bridged with the OPNsense WAN. So I think that this "red" messages are the problem, but I'm not sure how to fix them.
Title: Re: Problem with NAT configuration on virtual OPNsense
Post by: Zofoor on December 01, 2018, 05:31:21 pm
So many troubles, but at the end I got the hint by alone.

The problem here was not with the NAT, but with the default gateway of the HTTPS server.
As I was moving from a network configuration (internet - draytek router - lan) to a new one, I had still the old router connected while I was configuring the new OPNsense.

This to reduce the troubles and giving me the time to configure all without too many troubles.
The HTTPS request was correctly forwarded, but then the HTTPS server was trying to reply using another gateway.

Updating the gateway of the web-server has fixed the issue :)