OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Cerberus on January 23, 2019, 04:00:03 pm

Title: Outbound Nat Broken in 19.1R1/2 ?
Post by: Cerberus on January 23, 2019, 04:00:03 pm: Hi,

i am currently trying to do an outbound nat for several internal machines to a zerotier based network on my opnsense machine. I have trouble selecting the subnet size on "source address" or "destination address" when i select "single host or network", the subnet mask dropdown is just empty. On 18.7 i am able to select the subnet size for the network i entered.

I am trying to use an alias as alternative but the result is that the outbound rule is not working. In rules.debug i see "unable to convert address, see to for details" for this rule.
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: franco on January 23, 2019, 04:40:20 pm: Hi there,

Thanks a lot, created a ticket: https://github.com/opnsense/core/issues/3148

Could be that the upgrade of the bootstrap select JS code caused this.

Cheers,
Franco
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: franco on January 23, 2019, 10:35:58 pm: https://github.com/opnsense/core/commit/2af9202d64

# opnsense-patch 2af9202d64

Patch will be part of the final 19.1. There's still a layout issue here, but we'll have to fix this after 19.1 is out.

Thanks,
Franco
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: Cerberus on January 24, 2019, 09:39:59 am: Hi,

i modified opnsense_legacy.js localy and the gui stuff works as expected but my problem still persist. My goal is to let one of my local network to reach hosts that sits in a zerotier network, i want to use nat so that all internal adresses get translated by the opnsense zerotier address.

In debug rule i found this error:

#debug: Unable to convert address, see to for details
# nat on ztXXXXXXX inet from xx.xx.xx.xx/20 to {"address":"opt1"} -> (ztXXXXXXX:0) port 1024:65535

The rule does not work.

I am almost sure i did the same on my old 18.7 with the difference i used "lan" as source, this time its a specific network.
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: franco on January 24, 2019, 10:09:09 am: Define "18.7". 18.7.10 or something earlier? Assuming "opt1" is ZT I'm not sure this ever worked.

From what I can see we started fixing from /20 selection here so that's two separate issues, no? (just to clarify)

Cheers,
Franco
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: Cerberus on January 24, 2019, 10:27:23 am: i mean 18.7.10.

i restored my old appliance and comparing the settings, i found the difference.

Example:
Local LAN : 10.1.0.0/20
Zerotier Net: 10.2.1.0/24
Interface: ZT123

in 18.7.10 i configured it as:

Interface: ZT123
Source address: Singe Host or Network > 10.1.0.0/20
Destination address: Single Host or Network > 10.2.1.0/24
Translation Target ZT123 address

In 19.1 i did:
Interface ZT123
Source address: Singe Host or Network > 10.1.0.0/20
Destination address: "ZT123 Network"
Translation Target ZT123 address

I think "ZT123 Network" from dropdown should be as good as typing in the Network/Mask by myself?
Title: Re: Outbound Nat Broken in 19.1R1/2 ?
Post by: franco on January 25, 2019, 11:10:32 pm: It should be the same, but doesn't seem to be the case for tun/tap devices here (which e.g. Zerotier and OpenVPN use). Normal interfaces on top of NICs and VLANs etc are ok.

A ticket in GitHub would be helpful to look into it in the mid term.

Thanks,
Franco