OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: emilicus on December 29, 2015, 05:50:46 pm

Title: [SOLVED] NAT doesn't work
Post by: emilicus on December 29, 2015, 05:50:46 pm: Hello all,
just installed latest version of OPNsense on Xen host.

Just replaced a pfsense installation with the new OPNsense one.

Internet browing is OK, OpenVPN access to my lan from internt is ok, so the base setup must be ok.

What is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

Firewall logs said the traffic is permitted (pass) but after this step, nothing... so it must be something wrong in NAT rule - at least i think...

Could someone post a step-by-step howto in order to setup a very simple firewall/nat rule?
ie to open a https port from wan to a single address on lan?

Sorry for this stupid question.

Many thanks
Title: Re: NAT doesn't work
Post by: fraenki on December 29, 2015, 11:16:16 pm: Hi emilicus,

Quote
What is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

you said that browsing and OpenVPN access is working, so NAT seems not totally broken to me.
Maybe you could post some screenshot(s) of the NAT/firewall rules you've created that aren't working. I'm not really sure that I understand what you want to achieve, maybe you could add some details to your problem description (and an full example).

FWIW, in such situations I tend to use some tcpdump on OPNsense to see where the packets get stuck, i.e.
Code: [Select]
tcpdump -i em0_vlan123 -s 1500 -n -X host 10.1.2.3 and port 80where em0_vlan123 is the interface (you'll likely check more than one interface) and 10.1.2.3 is the destination host and port accordingly.

Regards
- Frank
Title: Re: NAT doesn't work
Post by: 8191 on December 29, 2015, 11:21:48 pm: Quote from: fraenki on December 29, 2015, 11:16:16 pm

Quote
What is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

you said that browsing and OpenVPN access is working, so NAT seems not totally broken to me.

Do you browse the web using a private IPv4 address, or using IPv6?
Title: Re: NAT doesn't work
Post by: cdburgess75 on December 30, 2015, 02:13:42 am: I have found that before and beat it to death. I found the answer finally. It's only Xenserver (maybe Xen too). Common FreeBSD 10 and above issue. I found in pfsense the exact same thing. Here is a thread that explains more. I switched hypervisors due to this. Works on others (VMware/hyperv/virtualbox etc.).

https://forum.pfsense.org/index.php?topic=88467.0
Title: Re: NAT doesn't work
Post by: emilicus on December 30, 2015, 09:04:28 am: Thank you very much cdburgess75.
I'll try the topic you've posted and eventually i'll report back to the list.
Title: Re: NAT doesn't work - SOLVED
Post by: emilicus on December 30, 2015, 06:07:21 pm: Hello i would like to report that after disabling cheksum on both opnSense domU and opnSense Vifs, the issue was SOLVED.

The FreeBSD checksum bug seems to be solved a month ago, so i hope to see the patches applied in next release of opnSense.

Thanks to all for the support